EAP-TTLS works for MacOS supplicants but not Win10

Alan DeKok aland at deployingradius.com
Thu Sep 17 02:31:06 CEST 2020 

On Sep 16, 2020, at 6:56 PM, Evan Sharp <evan.sharp at coastmountainacademy.ca> wrote:
> 
> Hi Allan, Matthew, et al.
> 
>> So if OSX and Chrome "just work", then it's because someone is
> configuring it.
> 
> All respect guys, but these are dozens of K-12 student-owned BYODs.

  Do they connect to your network using credentials you supply?

https://support.google.com/chrome/a/answer/2634553?hl=en

	• On Chrome OS versions 61–72,  certificates added to an organizational unit are available to both network settings and kiosk apps on devices. On earlier versions, certificates are only available to the network settings on a device.

> They
> haven't received any configuration and they all work out of the gate as
> operated by a 12 year old. I don't need to be right, but I don't know
> enough about what I've configured to understand how it is working; do you
> have any other ideas?

  So far as I'm aware *all* modern operating systems don't allow the user to configure EAP-TTLS or PEAP.  *All* systems refuse to accept even known CAs (i.e. web ones), unless the CA is enabled for EAP.

  I suspect what's happening is that they Chrome devices are pulling the certificate information from your systems.  So someone, somewhere, set it up for your network.

> It makes sense to me that Win10 is being finicky about a cert, but since
> installing one on these student-owned machines is something I want to
> avoid, I want to get to the bottom of OSX's success in case it's replicable.
> 
>> "it just stops".
>> 99% of the time it's a certificate issue.
> 
> Did you look at the end of my "failed bind" debug?

  Yes... that *is* what I do about 10 times a day.

> Is that what this looks like for sure?

  Yes, I'm not going to change my answer is you ask again.

> Is there any additional logging I can get besides `-X`?

  No amount of additional FreeRADIUS logging will tell you what's going wrong with Windows.

  In fact, if the client keeps trying EAP, the debug output will print out a huge warning, and point you to a Wiki page.  That page describes exactly what's going wrong, and how to fix it.

  Hint: configure Windows correctly.

  Alan DeKok.

More information about the Freeradius-Users mailing list