PEAP with Machine auth

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 26 22:07:47 CEST 2011


On 10/26/2011 07:53 PM, Francois Gaudreault wrote:
> Correct me if I am wrong, but that should not be needed when you are not
> validating server certificate.

There are a few issues; let me try to lay them out.

First: it seems you MUST install the CA on the client (in one or both of 
the user or machine store, depending on whether you're doing user or 
machine-based auth). Authentication will simply fail if you don't 
install the CA - although helpfully Windows does seem to send an 
"invalid CA" TLS alert.


Second: If (and only if) you install the CA, then when you FIRST connect 
to a network, you will be shown the dialog box "The connection attempt 
could not be completed". In my testing, if you click "Continue", then 
windows will:

  a. Check the "Validate server certificate"
  b. Leave the "Connect to these servers" (hostname/CN) blank
  c. Check the box next to the CA cert

That is, windows will "trust on first use" (TOFU) the *specific* CA for 
that *specific* connection profile (WLAN SSID or Wired "profile").

The text at the link given by the OP is misleading. The issue is not 
whether the CA is a "Trusted" CA on the machine/user store as a whole. 
It's whether it's trusted for *that specific connection* as a CA for 
signing the authentication server cert.

I'm unsure whether the OP is clicking "Continue" at the prompt and it's 
failing, or if he's not clicking "Continue" or not even being presented 
with the option - but as I say, in my testing, TOFU works.



More information about the Freeradius-Users mailing list