To respond to myself, I was able to make Google LDAP + FreeRADIUS + PAP authentication on Windows 10 work by manually creating a connection in Windows. It is not possible to _edit_ a connection and establish the settings that I needed. For this, you'll create a new network connection through the Network and Sharing center. Create a new Wireless network, with WPA-Enterprise security. Next. You'll have an option to change the network settings, so don't Finish, and instead change settings. These options are not available through any GUI that I've found after the connection is created. Specify: - network authentication security method: Microsoft: EAP-TTLS - Enable Identity Privacy (checked) - Connect to these servers: - Specify the DNS alt-name of the SSL certificate that you're using (the one signed by a trusted CA) - Trusted Root Certification Authorities: - Select _only_ the CA root that vouches for the above certificate - Client authentication: Unencrypted PAP - Ok ok ok save finish. I'm not able to do this merely with a certificate that is signed by a trusted CA -- I specifically have to tell Windows _which_ RADIUS server to connect to (Connect to these servers). Unsure how/why/if this differs from an Active Directory domain, as again I'm using Google LDAP and not AD. I can then use `netsh` to export the wlan profile and import it on other machines (and maybe netsh can even change the settings). Currently I have a script set up to echo the whole wlan profile to a temp file (echo because when you run as admin it changes from the script's directory) and import from that temp file, all in one .cmd script. Testing suggests Windows stores the user credentials in a local store for re-connecting to the wireless network, so users only have to log in once. Joe On Wed, Mar 4, 2020 at 2:44 PM Joseph <freerad-user-created@optimusride.com> wrote:
Hi, I'm trying to get EAP-TTLS set up, but the certificate is always asking for verification. This is failing on Windows 10, but tests out ok (without complaining) with eapol_test, radtest, and Ubuntu 16.04.
"Continue connecting? "If you expect to find your-wifi in this location, go ahead and connect. Otherwise, it may be a different network with the same name. "Server thumbprint: 21 4B 37 ED ..."
This matches what I expect. The certificate information, on the radius server: $ openssl x509 -in server.pem -noout -text -fingerprint -sha256 Issuer: C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin@example.org, CN = Example Certificate Authority Validity Not Before: Mar 4 19:20:40 2020 GMT Not After : May 3 19:20:40 2020 GMT Subject: C = FR, ST = Radius, O = Example Inc., CN = radius.internal.mydomain.com X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <present> X509v3 Subject Alternative Name: DNS:radius.internal.mydomain.com SHA256 Fingerprint=21:4B:37:ED:90:D8:...
This seems to meet the requirements of https://wiki.freeradius.org/guide/Certificate_Compatibility (extended key usage) and https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+consideratio... (CN and SAN defined and the same, not wild card, extended key usage: authentication, age). TLS1.2 is enabled and shows to be used (Windows 8+ requirement)
The CA certificate is added to Windows, Local computer, Trusted Root Certification Authorities: Example Certification Authority valid from: 3/3/2020 to 5/2/2020 CN = Example Certificate Authority, E = admin@example.org, O = Example Inc., L = Somewhere, S = Radius, C = FR Thumbprint: 4758ae7e
Verifying this on the radius server, freerad@radius:~/3.0/certs$ openssl verify -verbose -CAfile ca.pem server.pem server.pem: OK $ openssl x509 -noout -in ca.pem -fingerprint -sha1 SHA1 Fingerprint=47:58:AE:7E...
The radius server certificate would seem to be trusted. Does anyone know what I might be missing? ldap/eap configuration taken from https://github.com/hacor/unifi-freeradius-ldap, and I substituted in the ssl certificates. (Could the problem originate here?)