On Wed, 2020-01-22 at 08:08 +0100, Tomasz Wolniewicz wrote:
W dniu 22.01.2020 o 03:13, Alan DeKok pisze:
On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate@inf-it.com> wrote:
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
Windows doesn't do client certificates for TTLS. :(
You can certainly configure EAP-TLS as the inner method for TTLS in the native Windows 10 TTLS, not sure if it will actually work though.
PEAP/EAP-TLS definitely works (or, at least it works on Windows 7). The only real benefit was to get SoH along with EAP-TLS. But as Microsoft removed SoH in Windows 10, there's not likely much point having PEAP in the mix any more, it just adds round trips. I'm guessing that EAP-TTLS/EAP-TLS may also work if the above still works, but again doubt there's much point. The obvious benefit to client certificates with PEAP or EAP-TTLS directly would be to require presentation of a client certificate (outer) alongside the username and password (inner). Unless they've changed something recently, as Alan said, that's not possible. -- Matthew