I have a windows 10 laptop that's part of my school's domain (workgroup?). I want to temporarily boot into linux to work on personal projects in my free time, but I won't have any internet since to connect to the network, the machine needs to be manually added into the domain by a sys admin. Is there any way to get and then use the certificate (or other authentication data) that's used to connect the machine to the network while in linux? I do not have administrator privileges in windows, so most of this needs to take place in linux if possible. I have checked the policy, and this doesn't break it.
1
-
2You need to contact IT.– TetsujinCommented Mar 31, 2023 at 16:42
Add a comment
|
2 Answers
Your IT people on the domain have placed some very strict restrictions on the network.
Your computer is principally known to the domain's router by the MAC address of your network adapter or that of your router, and these don't change because you rebooted to another OS.
You need to contact your IT service and find out why this is happening and how to avoid it. They might be because they are using some purely Windows network protocols that are by default disabled in Linux. Or it might be simply the name of the computer that needs to be the same under both OS.
It might be 802.1X, the wired Ethernet equivalent of WPA-Enterprise. It is possible to configure Ethernet switches to either deny all network access to hosts which don't speak 802.1X, or to put them in a "quarantine" VLAN with minimal access.
Check the Ethernet adapter's "Properties" to find out whether 802.1X is in use.
If it's indeed 802.1X, it will either use EAP-TLS with a machine certificate (which you'll need admin rights to export) or EAP-PEAP with your Active Directory login details (username and password). Ask your IT team for details; if it's a certificate it's possible they will issue you one if you provide them with a CSR (for a "TLS client" certificate).
Either way, wpa_supplicant (the same one as for Wi-Fi) will handle 802.1X for wired connections as well.
I do not have administrator privileges in windows, so most of this needs to take place in linux if possible
While it is likely possible to export CAPI certificates from Linux, it seems that there are more tools for doing so within Windows, such as mimikatz (also).
If your IT "allows" you to have local admin rights but doesn't bother actually assigning them, install chntpw and use it to unlock and/or un-password one of the local administrator accounts. (Not sure if the "upgrade account to admin" option has been fixed; it would damage the account database when I last used it 15 years ago.)
answered Mar 31, 2023 at 18:06
