Windows 10 EAP-TTLS with client certificate
Hi list, I successfully installed and configured our FreeRADIUS server with the following results: EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15 The last option with Windows 10 produces the following error logs: (185) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error (185) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate (185) eap_ttls: ERROR: System call (I/O) error (-1) (185) eap_ttls: ERROR: TLS receive handshake failed during operation (185) eap_ttls: ERROR: [eaptls process] = fail (185) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed Windows 10 logs: Wireless 802.1x authentication failed. Error: 0x80420015 EAP Reason: 0x80420015 EAP Root cause String: EAP Error: 0x80420015 I tried nearly all combinations in the Windows 10 configuration interface, but it never sends the client_cert with EAP-TTLS (the same settings with EAP-TLS work). When trying to connect to Wi-FI the Windows 10 interface looks like: Choose a certificate: <correctly pre-selected certificate> User name: <my username entered manually> but after clicking to connect the server never receives the selected certificate ... Is the optional "client cert" in EAP-TTLS supported on Windows 10? Any ideas to get it working? Thanks, JM
On 21 Jan 2020, at 20:02, Ján Máté <jan.mate@inf-it.com> wrote:
Hi list,
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
The last option with Windows 10 produces the following error logs:
(185) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error
Mmm, an error in the error, OK.
(185) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
That's a bit better.
(185) eap_ttls: ERROR: System call (I/O) error (-1) (185) eap_ttls: ERROR: TLS receive handshake failed during operation (185) eap_ttls: ERROR: [eaptls process] = fail (185) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
You could try requiring the client certificate: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_... But I honestly can't remember if that alters the handshake data the server sends to the client or just forces a handshake failure if the client doesn't provide a certificate. Try it and report back :) -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi Arran, the require_client_cert was set to true during my "EAP-TTLS + PAP (LDAP auth) + client cert" tests ... is there anything else to try? Regards, JM
On 22 Jan 2020, at 02:20, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 21 Jan 2020, at 20:02, Ján Máté <jan.mate@inf-it.com> wrote:
Hi list,
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
The last option with Windows 10 produces the following error logs:
(185) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error
Mmm, an error in the error, OK.
(185) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
That's a bit better.
(185) eap_ttls: ERROR: System call (I/O) error (-1) (185) eap_ttls: ERROR: TLS receive handshake failed during operation (185) eap_ttls: ERROR: [eaptls process] = fail (185) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
You could try requiring the client certificate:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_...
But I honestly can't remember if that alters the handshake data the server sends to the client or just forces a handshake failure if the client doesn't provide a certificate.
Try it and report back :)
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 21 Jan 2020, at 20:26, Ján Máté <jan.mate@inf-it.com> wrote:
Hi Arran,
the require_client_cert was set to true during my "EAP-TTLS + PAP (LDAP auth) + client cert" tests ... is there anything else to try?
I think one of the UK University crowd used to run EAP-TLS within EAP-TTLS to do 2FA. Maybe see if there's a way to configure that? -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate@inf-it.com> wrote:
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
Windows doesn't do client certificates for TTLS. :( Alan DeKok.
W dniu 22.01.2020 o 03:13, Alan DeKok pisze:
On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate@inf-it.com> wrote:
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15 Windows doesn't do client certificates for TTLS. :(
You can certainly configure EAP-TLS as the inner method for TTLS in the native Windows 10 TTLS, not sure if it will actually work though. Tomasz Wolniewicz
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Tomasz Wolniewicz twoln@umk.pl http://www.home.umk.pl/~twoln Uniwersyteckie Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 tel kom.: +48-693-032-576
On Wed, 2020-01-22 at 08:08 +0100, Tomasz Wolniewicz wrote:
W dniu 22.01.2020 o 03:13, Alan DeKok pisze:
On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate@inf-it.com> wrote:
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
Windows doesn't do client certificates for TTLS. :(
You can certainly configure EAP-TLS as the inner method for TTLS in the native Windows 10 TTLS, not sure if it will actually work though.
PEAP/EAP-TLS definitely works (or, at least it works on Windows 7). The only real benefit was to get SoH along with EAP-TLS. But as Microsoft removed SoH in Windows 10, there's not likely much point having PEAP in the mix any more, it just adds round trips. I'm guessing that EAP-TTLS/EAP-TLS may also work if the above still works, but again doubt there's much point. The obvious benefit to client certificates with PEAP or EAP-TTLS directly would be to require presentation of a client certificate (outer) alongside the username and password (inner). Unless they've changed something recently, as Alan said, that's not possible. -- Matthew
On Jan 22, 2020, at 7:48 AM, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2020-01-22 at 08:08 +0100, Tomasz Wolniewicz wrote:
W dniu 22.01.2020 o 03:13, Alan DeKok pisze:
On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate@inf-it.com> wrote:
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
Windows doesn't do client certificates for TTLS. :(
You can certainly configure EAP-TLS as the inner method for TTLS in the native Windows 10 TTLS, not sure if it will actually work though.
PEAP/EAP-TLS definitely works (or, at least it works on Windows 7). The only real benefit was to get SoH along with EAP-TLS.
But as Microsoft removed SoH in Windows 10, there's not likely much point having PEAP in the mix any more, it just adds round trips.
I'm guessing that EAP-TTLS/EAP-TLS may also work if the above still works, but again doubt there's much point.
The obvious benefit to client certificates with PEAP or EAP-TTLS directly would be to require presentation of a client certificate (outer) alongside the username and password (inner). Unless they've changed something recently, as Alan said, that's not possible.
Yeah true, the supplicant would need to send credentials in the inner tunnel in addition to running EAP-TLS, which the windows supplicant doesn't support. I guess the OP is SOL then :( -Arran
Hi Alan, thanks for the exact answer. I decided to use EAP-TLS with "check-eap-tls" virtual server, where I check whether the account for the given certificate is active (the certificate revocation may take more time than the account deactivation). Everything now works as expected, there is only one minor "bug" - the server log contains: WARNING: Outer and inner identities are the same. User privacy is compromised. even if there is no inner identity (it's EAP-TLS not EAP-TTLS) :-) JM
On 22 Jan 2020, at 03:13, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate@inf-it.com> wrote:
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
Windows doesn't do client certificates for TTLS. :(
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Ján Máté -
Matthew Newton -
Tomasz Wolniewicz