PEAP with Machine auth

Bonald bonald at gmail.com
Thu Oct 27 14:12:39 CEST 2011


The weird thing is that I didn't see that popup

On Wed, Oct 26, 2011 at 5:07 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 10/26/2011 07:53 PM, Francois Gaudreault wrote:
>>
>> Correct me if I am wrong, but that should not be needed when you are not
>> validating server certificate.
>
> There are a few issues; let me try to lay them out.
>
> First: it seems you MUST install the CA on the client (in one or both of the
> user or machine store, depending on whether you're doing user or
> machine-based auth). Authentication will simply fail if you don't install
> the CA - although helpfully Windows does seem to send an "invalid CA" TLS
> alert.
>
>
> Second: If (and only if) you install the CA, then when you FIRST connect to
> a network, you will be shown the dialog box "The connection attempt could
> not be completed". In my testing, if you click "Continue", then windows
> will:
>
>  a. Check the "Validate server certificate"
>  b. Leave the "Connect to these servers" (hostname/CN) blank
>  c. Check the box next to the CA cert
>
> That is, windows will "trust on first use" (TOFU) the *specific* CA for that
> *specific* connection profile (WLAN SSID or Wired "profile").
>
> The text at the link given by the OP is misleading. The issue is not whether
> the CA is a "Trusted" CA on the machine/user store as a whole. It's whether
> it's trusted for *that specific connection* as a CA for signing the
> authentication server cert.
>
> I'm unsure whether the OP is clicking "Continue" at the prompt and it's
> failing, or if he's not clicking "Continue" or not even being presented with
> the option - but as I say, in my testing, TOFU works.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list