RADIUS wifi not working on Windows with domain users

Stefan Winter stefan.winter at restena.lu
Tue Apr 10 11:27:50 CEST 2018 

Hello,

> with no problem, means that a box in coming and I've to enter a
> username/password from my domain users. Once this is made, my
> username/password are stored and they are not requested anymore. In this
> case I didn't install any certificate of my computer.

That's what I meant with "gaping security hole". An attacker can simply
set up a Wi-Fi network with the same SSID and arbitrary RADIUS server,
and your computer will happily send your username and password to that
rogue attacker when in the vicinity.

In order to achieve security, a client device MUST verify the
server-side certificate. And that means installing the CA, mark it as
the CA to trust for this particular Wi-Fi network, and pinning the
expected server name.

I.e. your perception of you not having a problem is wrong.

There are tools that allow you to specify your deployment details and
get an installer that does the right settings out of it. One example is
https://802.1x-config.org

> For computers registered into the domain, they are several cases :
> 
> With windows 10 , I can connect if I do that before entering my
> username/password to start my session. Once my session started, I can't
> connect anymore.
> 
> For Windows 7, as I can't connect before entering in a session, I tested
> 2 different situations : 1 with a local account and 1 with a domain
> account. In both cases I can't connect to my wifi and the certificate
> error is coming.
> 
> My domain is a samba domain so I don't think (but not sure) I can use
> GPOs for this ..

If it's a Samba 4 AD server, you should be able to. If it's a Samba 3
"NT-Domain" style server, then no.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180410/415fde4d/attachment.sig>

More information about the Freeradius-Users mailing list