Windows 10 EAP-TTLS with client certificate

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jan 22 15:43:38 CET 2020



> On Jan 22, 2020, at 7:48 AM, Matthew Newton <mcn at freeradius.org> wrote:
> 
> On Wed, 2020-01-22 at 08:08 +0100, Tomasz Wolniewicz wrote:
>> W dniu 22.01.2020 o 03:13, Alan DeKok pisze:
>>> On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate at inf-it.com> wrote:
>>>> I successfully installed and configured our FreeRADIUS server
>>>> with the following results:
>>>> 
>>>> 	EAP-TLS	=> works on Windows 10, iOS 13, macOS 10.15
>>>> (Catalina)
>>>> 	EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13,
>>>> macOS 10.15
>>>> 	EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on
>>>> Windows 10, but works on iOS 13, macOS 10.15
>>> 
>>>  Windows doesn't do client certificates for TTLS. :(
>> 
>> You can certainly configure EAP-TLS as the inner method for TTLS in
>> the native Windows 10 TTLS, not sure if it will actually work though.
> 
> PEAP/EAP-TLS definitely works (or, at least it works on Windows 7). The
> only real benefit was to get SoH along with EAP-TLS.
> 
> But as Microsoft removed SoH in Windows 10, there's not likely much
> point having PEAP in the mix any more, it just adds round trips.
> 
> I'm guessing that EAP-TTLS/EAP-TLS may also work if the above still
> works, but again doubt there's much point.
> 
> The obvious benefit to client certificates with PEAP or EAP-TTLS
> directly would be to require presentation of a client certificate
> (outer) alongside the username and password (inner). Unless they've
> changed something recently, as Alan said, that's not possible.

Yeah true, the supplicant would need to send credentials in the inner tunnel in addition to running EAP-TLS, which the windows supplicant doesn't support.

I guess the OP is SOL then :(

-Arran


More information about the Freeradius-Users mailing list