Thanks for the quick response. The way I updated the certificates was to save the original directory to a certs_bak directory. Then I followed the instructions in the README file to delete all the .pems, .ders, etc., etc. Something strange happened when I tried the make on the server.pem certificate and I got some error messages that it couldn't be written to the database although the certificate was created. When I tried to start radiusd in debug mode after that radiusd would not start complaining that it could not read the server.pem certificate. I then moved all the original certificates back into the certs/ directory and then I could get radiusd to start again. I assumed this put me back at the same setup I had before. Other than that nothing changed on the Windows 10 laptop other than Windows updates maybe?? I don't know of anything else. As a sidenote when I first set this up the ca.der would not install on the laptop advising it was not a valid security certificate. I was able to tftp the ca.pem certificate to my laptop and then install that from certmgr. That's when I finally got it to work. That certificate is still in my certificate store although it is expired now. When I did create the new certificates the new ca.der certificate did install in my certificate store this time so I thought voiila it will work. No such luck. Anyway both certificates are still installed in my certificate store. I will try manually configuring the SSID on my laptop and uncheck the CA cert validation. Thanks. Rob Rutledge, CCNP CCDP -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+robertrutledge2005=charter.net@lists.freeradius.org] On Behalf Of Matthew Newton Sent: Saturday, April 22, 2017 3:52 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: FW: EAP authentication with Windows 10 On 22 April 2017 21:26:04 BST, Rob Rutledge <robertrutledge2005@charter.net> wrote:
I have had Freeradius up and running successfully since February. I set up a Windows 10 wireless client to authenticate to it along with an iPhone 6.
That's good.
For some reason the Windows 10 client quit working last week. (The iPhone is still working fine although I see in the debugs it is using TLS1.0)
I would have preferred​ to be back at exactly the same setup you had then, and look at the debug log, rather than change some stuff which now means you might have more broken things. But that's probably not possible now... The real question should be - what changed that stopped it working?
I assumed it was a problem with the certificates expiring, but creating new ones has not helped. Therefore I went back to the originals. I was not able to get the client.p12 certificate installed so instead I use WPAV2 and I did not specify the username/password in my AP. Therefore the authentication process would let me enter the username/password combination and then have me accept the certificate which I only had to configure once. Then it stopped working and I cannot even get past the username/password combination now.
(5) eap_peap: ERROR: TLS Alert read:fatal:access denied
Looks like it might be windows not trusting the server CA. Is the CA cert installed correctly in windows? If it authenticates with CA cert verification disabled, then this is certainly the problem. But don't do that in normal operation as it's not secure. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html