RADIUS, 802.1x, AD Computer-based authentication
-
I'm getting a bit snowed-under with the options available to secure our wireless client access, so I'm finally resorting to asking a question :P
What I'd like is only AD Computers and pre-approved devices to join the corp wireless without additional prompts. If the wireless device has an active AD account, or has a pre-approved MAC, then just connect already.
I have read https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS and a few days' worth of various pfsense & other sites, but:
- I do not want to use AD user/pass authentication, as I do not want my users to join their personal devices to the corp wireless just by entering their AD user/pass
- I do not want to use a Windows CA; pfSense CA would be ok; if possible I'd like to avoid CA altogether.
Unless I'm just not grokking the concept, why is it so hard to have an access point query Active Directory / LDAP to see if a computer is valid, and then allow it to connect?
EDIT:
I should note my driving reason:
I'm tired of people (including my boss) at our remote locations asking for the corp wireless PSK password. I'd rather be happier knowing that all AD devices can connect automatically without my input. Thus I'd rather not use CAs, which would need to connect to the wired network at least once in order to obtain the CA via GPO, which cannot happen for Windows tablets.