EAP-TTLS works for MacOS supplicants but not Win10
Alan DeKok
aland at deployingradius.com
Thu Sep 17 21:24:01 CEST 2020
On Sep 17, 2020, at 3:20 PM, Evan Sharp <evan.sharp at coastmountainacademy.ca> wrote:
> No. They are using their Google Cloud Identity credentials since freeRADIUS
> is binding on Google Secure LDAP.
*Something* is telling the devices to allow your CA. This does *not* happen automatically.
> Is it possible that the AP controller is not passing the cert request back
> to the supplicant and instead is answering RADIUS with the key I installed?
I have no idea what that means. What "key" you installed?
The AP doesn't do certs, and doesn't know about them. It just passes packets back and forth between the end-user device, and the RADIUS server.
> This would explain how a tunnel is being established without a cert on the
> BYOD. Midway in the first passthrough:
The end user device DOES have a certificate configured.
> 1. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
> the rest of authorize
> 2. (0) [eap] = ok
That's just the start of the EAP conversation. It is LONG before any certificate exchange.
Alan DeKok.
More information about the Freeradius-Users
mailing list