Beamflash Networks

@merill Wouldn't it make sense for them to be using passkeys in Authenticator instead of synced passkeys?

@beamflash Wouldn't the security minded folks be using a phishing resistant method like passkeys in the first place?

Microsoft Authenticator is about to wipe work accounts from jailbroken/rooted phones automatically 👏. No IT config needed. 🔥 3-phase rollout starting Feb 2026: ⚠️ Warn → 🚫 Block → 🗑️ Wipe Let your help desk and security teams know. 🔗 support.microsoft.com/en-us/account-…

@NathanMcNulty Of course A5 gets nothing again

PSA now that Cloud PKI is included in E5 If you did a trial of Cloud PKI, please don't use the old setup Tear it all down and rebuild to ensure you are using proper keys backed by a hardware security module (HSM) There is no migration path: #try-microsoft-cloud-pki" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/intune/i…

@patio11 Factoring

Conscious that I have about five more issues of Bits about Money to write before the year is out. What would you like me to write about?

@kamilkazani en.wikipedia.org/wiki/Heaven_is…

14. I think part of the reason it worked out in the south, is that south was just more criminal. Far off from Beijing. Further from the sight of government, further from any kind of regulation, good or bad. Dirty, slummy, lots of illegal immigrants. Open sewage, basically

The greatest Western delusion about China is, and always has been, greatly exaggerating the importance of plan. Like, in this case, for example. It sounds as if there is some kind of continuous industrial policy, for decades Which is a huuuuuuge misrepresentation of reality

@MyNameIsMurray @freeradius A bigger problem is that Intune can and not infrequently did take half an hour to provision a certificate, it was easily the biggest bottleneck in return to service when replacing a device.

@MyNameIsMurray @freeradius We reset passwords and logged in as students during provisioning. Bonus points in that when they change their password later, the cert still works fine. That's a choice though, and I agree that in an ideal world you'd be able to provision a user cert without wires/onboarding SSID

I got a few small blocks of time to tinker with this FreeRADIUS setup a bit more, and I think I made a lot of progress. While I haven't moved beyond testing on-server with "radtest" and "eapol_test" at this stage, I do have this thing authenticating users from my Entra tenant.

@MyNameIsMurray @freeradius Same SSID, using Intune as the MDM. You just have one policy set to user and computer authentication. @jabbrwcky and I worked it out, he blogged it at chrisbt.me/posts/user-and…

@beamflash @freeradius But not for the same SSID, especially not with Intune as the NSM, though... right? Attempted to have both user and device policies will result in a conflict and only the first one to be brought down by the IME sync will function. This just won't work. Neither will Ethernet use.

@MyNameIsMurray @freeradius I would argue that accepting the one-time pain of Ethernet onboarding is worth it vs ongoing disabling of credential guard and MFA for EAP-TTLS/PAP. And you can have different user vs device policies with EAP-TLS.

@MyNameIsMurray @freeradius The missing piece is the device trying TEAP but not having a user certificate yet, only ISE and ClearPass can handle that case which is needed for onboarding. Standard EAP-TLS with device or user certificate only does work once you onboard via Ethernet, and I've done it in prod

@MyNameIsMurray @freeradius Working link wiresandwi.fi/blog/windows-n… (the W got capitalised somehow in my previous link)

@MyNameIsMurray @freeradius Yes, that's the thing, it's technically non-standard and only implemented by ClearPass and ISE. Mist, Extreme and FreeRADIUS don't do it, they only implement RFC standard TEAP (device and user chained TLS cert auth success).

@freeradius @MyNameIsMurray I must have misunderstood it or the mailing list when I read them a few months ago. Could it be an implementation decision to send success with different attributes if the supplicant only sends one certificate?

@beamflash @MyNameIsMurray Nothing in that draft allows for TEAP success when user auth fails. :(

@MyNameIsMurray @freeradius Sure, but that relies on the RADIUS server providing success with machine pass/user fail, otherwise with no user certificate the user gets dropped to desktop with no connectivity and no way to get a certificate wiresandwi.fi/blog/Windows-n…

@freeradius @beamflash Sure. The plan was to use SCEP to generate device certificates at device imaging time; That cert will be configured to allow basic web access for Intune, etc; That web access will allow the user cert to be provisioned; After which the user cert is "preferred" & gives full access.

@MyNameIsMurray But don't let that stop you from doing TEAP right now, just be aware that you'll need to do first login wired or with an onboarding wifi network for the user to get their certificate

@MyNameIsMurray The RFC standard version of TEAP doesn't cover device pass/user fail, and FreeRADIUS is a stickler for RFC compliance. There is an updated RFC in the works that allows for it. datatracker.ietf.org/doc/draft-ietf…

@MyNameIsMurray FreeRADIUS can't do device success/user fail for TEAP, which is what your want for onboarding. So far only ISE and ClearPass do it.

From what I mapped out earlier today, it appears that migrating from a server that is successfully using Entra + EAP-TTLS/PAP, over to the more desirable configuration of Cloud PKI + TEAP (both device and user certificate configurations in one) isn't going to be too bad. Maybe.

@patio11 That statement is giving me real en.wikipedia.org/wiki/The_Cooki… vibes

A useful intuition / skill for working with coding agents seems to be properly scoping a unit of work and managing one’s workday such that one has all units of work completed and documented for the next day.

@rucam365 I think the biggest hassle to doing it securely is how to manage them securely, what needs to be done to isolate them from regular Intune admins? Other replies note that VDI/AVD/W365 meets the user desktop need.

Most IT teams, including mature ones, aren’t gonna adopt physical dedicated PAWs and it’s not reasonable to assert they should. What have been your most successful compromises for this?