On Mar 4, 2020, at 2:44 PM, Joseph <freerad-user-created@optimusride.com> wrote:
Hi, I'm trying to get EAP-TTLS set up, but the certificate is always asking for verification. This is failing on Windows 10, but tests out ok (without complaining) with eapol_test, radtest, and Ubuntu 16.04.
Because those systems are a little more forgiving, *and* they give you useful information about what goes wrong.
This matches what I expect. The certificate information, on the radius server:
That's good.
This seems to meet the requirements of https://wiki.freeradius.org/guide/Certificate_Compatibility (extended key usage) and https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+consideratio... (CN and SAN defined and the same, not wild card, extended key usage: authentication, age). TLS1.2 is enabled and shows to be used (Windows 8+ requirement)
Yes. But... it's Windows. It decides it doesn't like things, and then doesn't work. Why does it to this? Who knows... and Windows definitely won't give you any hints here.
The radius server certificate would seem to be trusted. Does anyone know what I might be missing?
Maybe it doesn't like short-lived certificates?
ldap/eap configuration taken from https://github.com/hacor/unifi-freeradius-ldap, and I substituted in the ssl certificates. (Could the problem originate here?)
Maybe, but likely not. As an aside, I'm not sure why these third-party documentation is needed. The server comes with *extensive* documentation on getting EAP and LDAP to work. Just follow the comments, do some simple tests, and it should be quick.
The only thing missing is MTU/packet fragmentation, but I'm under the impression that's not happening -- or hoping. My network is just APs connected to a switch which routes to FreeRADIUS. FreeRADIUS then uses Google LDAP for authentication as EAP-TTLS/PAP.
The only option here is to get some more logs from Windows as to *why* it doesn't like the certificate. No amount of poking FreeRADIUS will get you that information. Alan DeKok.