On Jan 26, 2021, at 8:30 AM, Vieri Di Paola <vieridipaola@gmail.com> wrote:
Now, most of my clients are Windows 10 and just a few Windows 7. They can access with PEAP mschap-v2 via WiFi.
I am now trying to configure WiFi access with EAP-TLS and host certificates.
Please bear with me as I haven't handled freeradius for years now, and I'm a bit rusty.
TBH, the FreeRADIUS side is simple. Make the test certs, and start the server.
I already have a custom Signing Authority (ca.pem). So, within /etc/raddb/certs I ran the following after adjusting the corresponding *.cnf files:
# make server.pem # make server.csr # make inner-server.pem # make client.pem
That's good.
The Windows 10 client has imported both the CA in trusted roots and the client certificate in the "local computer" store. I chose the common name "PC2036" (see below).
That might work... it depends. Windows has a few certificate stores. If you put the certs into the wrong one, then EAP-TLS won't work.
The wireless connection is set up with a "smart card or other certificate" (computer account).
I'm not sure that will work. You're better off using a user account, and putting the certs into the local cert store for the *user*.
(132) Sent Access-Challenge Id 67 from 10.215.144.91:1812 to 192.168.216.36:58425 length 0 (132) EAP-Message = 0x018b00060d20 (132) Message-Authenticator = 0x00000000000000000000000000000000 (132) State = 0x007a782400f175f114c01cbf42164dc9 (132) Finished request Waking up in 4.9 seconds. (132) Cleaning up request packet ID 67 with timestamp +2318 Ready to process requests
I then read this: https://wiki.freeradius.org/guide/certificate-compatibility
Exactly.
So I decided to replace the whole certificate directory just to make sure the test certs work.
Huh? The wiki page above doesn't say to replace the whole cert directory. It says to import the certificates into the *correct* certificate store on Windows. Put the certificates into the correct Windows certificate store. Nothing else will make EAP-TLS work. Alan DeKok.