FW: EAP authentication with Windows 10

Rob Rutledge robertrutledge2005 at charter.net
Sun Apr 23 01:18:54 CEST 2017 

Thanks for the quick response.

The way I updated the certificates was to save the original directory to a certs_bak directory.  Then I followed the instructions in the README file to delete all the .pems, .ders, etc., etc.  Something strange happened when I tried the make on the server.pem certificate and I got some error messages that it couldn't be written to the database although the certificate was created.  When I tried to start radiusd in debug mode after that radiusd would not start complaining that it could not read the server.pem certificate.  I then moved all the original certificates back into the certs/ directory and then I could get radiusd to start again.  I assumed this put me back at the same setup I had before.  

Other than that nothing changed on the Windows 10 laptop other than Windows updates maybe??  I don't know of anything else.  

As a sidenote when I first set this up the ca.der would not install on the laptop advising it was not a valid security certificate.  I was able to tftp the ca.pem certificate to my laptop and then install that from certmgr.  That's when I finally got it to work.  That certificate is still in my certificate store although it is expired now.  When I did create the new certificates the new ca.der certificate did install in my certificate store this time so I thought voiila it will work.  No such luck.  Anyway both certificates are still installed in my certificate store.

I will try manually configuring the SSID on my laptop and uncheck the CA cert validation.

Thanks.  

Rob Rutledge, CCNP CCDP

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+robertrutledge2005=charter.net at lists.freeradius.org] On Behalf Of Matthew Newton
Sent: Saturday, April 22, 2017 3:52 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: FW: EAP authentication with Windows 10

On 22 April 2017 21:26:04 BST, Rob Rutledge <robertrutledge2005 at charter.net>
wrote:
>I have had Freeradius up and running successfully since February.  I 
>set up a Windows 10 wireless client to authenticate to it along with an 
>iPhone 6.

That's good.

>For some reason the Windows 10 client quit working last week.  (The 
>iPhone is still working fine although I see in the debugs it is using 
>TLS1.0)

I would have preferred​ to be back at exactly the same setup you had then, and look at the debug log, rather than change some stuff which now means you might have more broken things. But that's probably not possible now...

The real question should be - what changed that stopped it working?

> I
>assumed it was a problem with the certificates expiring, but creating 
>new ones has not helped.  Therefore I went back to the originals.  I 
>was not able to get the client.p12 certificate installed so instead I 
>use WPAV2 and I did not specify the username/password in my AP.  
>Therefore the authentication process would let me enter the 
>username/password combination and then have me accept the certificate 
>which I only had to configure once.
>Then it stopped working and I cannot even get past the 
>username/password combination now.

>(5) eap_peap: ERROR: TLS Alert read:fatal:access denied

Looks like it might be windows not trusting the server CA. Is the CA cert installed correctly in windows?

If it authenticates with CA cert verification disabled, then this is certainly the problem. But don't do that in normal operation as it's not secure.


--
Matthew

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list