Configuring Windows 7 for a WPA2-Enterprise (EAP-TLS) Secured Wireless Network
Hi, I have setup a WPA2-Enterprise secured WiFi Access Point that authenticates connections via FreeRadius v3.0.4, using EAP-TLS running on a FreeBSD machine. Please note that I generated a CA certificate, a server certificate, the various client certificates and the Diffie Hellman file using the ssl-admin tool. I created a client certificate for an android device by creating a "one-step request/sign" in ssl-admin, and then created a keyfile bundle using openssl via a command that looks something like this... openssl pkcs12 -export -out client_android.p12 -in ./active/client_android.pem -inkey ./active/client_android.key -certfile /usr/local/etc/ssl-admin/active/ca.crt I imported the generated file onto the device, and it can now successfully access the secured wireless network. I now need to do something similar for a Microsoft Windows 7 machine. From what I have been able to determine, I need to install two certificates - a CA certificate in the machines trusted root certificate authority store, and a client certificate in the machines personal certificate store. I installed the ca.crt file in the trusted root certificate authority store. I generated a client certificate using ssl-admin again, and then created a bundle file, via a command that looks something like this... openssl pkcs12 -export -out client_win7_bundle.p12 -in ./active/client_win7.crt -inkey ./active/client_win7.key I then installed the bundle file in the personal certificate store. On the client machine, I then navigated to Control Panel > Network and Sharing Centre > Manage wireless networks > Add button > Manually create a network profile. I entered a network name, selected "WPA2-Enterprise" for the security type, AES as the encryption type, and clicked the Next button. I then clicked Change connection settings and then the Security tab. I changed the network authentication method to "Microsoft: Smart card or other certificate". I then selected advanced settings, and changed the authentication method to computer authentication. I clicked OK and then clicked the Settings button. In the Trusted Root Certification Authorities list, I selected the CA certificate installed earlier, and then OK'd all the dialogs to save the configuration. Unfortunately, whenever I try and connect to the network, the connections fails to establish. If I run freeradius in debug mode, it clearly displays the access request whenever I connect from my android client. However, when the windows client tries, freeradius doesn't seem to respond. To me, that strongly suggests the problem is on the windows side of things. Does anyone have any suggestions for a way forward? Regards, Jazz
When you created the server cert did you ensure the extensions were added that windows is fussy about (check the docs, wiki and the provided example script in the certs dir) ? alan
Alan, No, I did not - while I did see the extensions information - I thought they were only for Windows XP. I didn't realise that they were required for Windows 7 as well. *nods* I'll add the extensions and regenerate all the certificates, and see what happens. Thanks, Jazz ----- Original Message ----- From: Alan Buxey To: FreeRadius users mailing list ; Jasvinder S. Bahra Sent: Sunday, October 12, 2014 5:00 PM Subject: Re: Configuring Windows 7 for a WPA2-Enterprise (EAP-TLS) Secured Wireless Network When you created the server cert did you ensure the extensions were added that windows is fussy about (check the docs, wiki and the provided example script in the certs dir) ? alan
participants (2)
-
Alan Buxey -
Jasvinder S. Bahra