On Jan 22, 2020, at 7:48 AM, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2020-01-22 at 08:08 +0100, Tomasz Wolniewicz wrote:
W dniu 22.01.2020 o 03:13, Alan DeKok pisze:
On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate@inf-it.com> wrote:
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
Windows doesn't do client certificates for TTLS. :(
You can certainly configure EAP-TLS as the inner method for TTLS in the native Windows 10 TTLS, not sure if it will actually work though.
PEAP/EAP-TLS definitely works (or, at least it works on Windows 7). The only real benefit was to get SoH along with EAP-TLS.
But as Microsoft removed SoH in Windows 10, there's not likely much point having PEAP in the mix any more, it just adds round trips.
I'm guessing that EAP-TTLS/EAP-TLS may also work if the above still works, but again doubt there's much point.
The obvious benefit to client certificates with PEAP or EAP-TTLS directly would be to require presentation of a client certificate (outer) alongside the username and password (inner). Unless they've changed something recently, as Alan said, that's not possible.
Yeah true, the supplicant would need to send credentials in the inner tunnel in addition to running EAP-TLS, which the windows supplicant doesn't support. I guess the OP is SOL then :( -Arran