FreeRADIUS 3 certificate issue on some Windows clients
I'm running FreeRADIUS 3.0.11 with OpenSSL 1.0.2g. I have successfully configured EAP TLS, TTLS and PEAP methods. Now the issue...when I'm configuring clients with Windows 7, Vista or XP and certificates are not yet installed (ca.der and optionally client.p12) and try to connect to the network through the bottom right network icon a bubble popup shows up telling me that I need to installl the certificates. The connection can't be established, which is how it should behave. When i configure the connection manually, import the certs, all the methods mentioned above works well. The manual configuration also work well on Windows 10 and can't connect until at least the ca.der is present on the computer for PEAP and TTLS. However when any of theese certificates are not present on the Windows 10 machine and try to connect through the network menu in the bottom right corner the connection is successfully created after entering login credentials. It seems like it's bypassing the ca.der certificate somehow. I have the same problem with windows phone 7.X devices. Is there a way how to prevent this behaviour? The server shouldn't allow the connection, am I right? here is the output od radiusd -X with example login through windows phone 7 device. It's a .txt file on my google drive. Thank you https://drive.google.com/file/d/0B9T3_pXPBXRnZklXRjJDcmVHek0/view?usp= sharing (https://drive.google.com/file/d/0B9T3_pXPBXRnZklXRjJDcmVHek0/view?usp=sharin...)
hi,
connection is successfully created after entering login credentials. It seems like it's bypassing the ca.der certificate somehow. I have the same problem with windows phone 7.X devices. Is there a way how to prevent this behaviour? The server shouldn't allow the connection, am I right?
what is the CA - a local one? if not, perhaps Windows 10 and Phone 7 now ship with the CA included. as for 'server shouldnt allow connection' - nope. sorry, its a CLIENT decision whether to trust the RADIUS server and CA cert - the client can happily be stupid and not verify the server cert and theres nothing at the server end you can do to stop that behaviour :/ - not going off to random google docs - please post debug inline on this list as per list instructions. many thanks alan
Hi,
least the ca.der is present on the computer for PEAP and TTLS. However when any of theese certificates are not present on the Windows 10 machine and try to connect through the network menu in the bottom right corner the connection is successfully created after entering login credentials. It seems like it's bypassing the ca.der certificate somehow. I have the same problem with windows phone 7.X devices. Is there a way how to prevent this behaviour? The server shouldn't allow the connection, am I right?
It's not the server's problem: the client decides that it doesn't care about the server certificate. It just accepts whatever the server sends. Weird and extremely insecure by design? Yes! Talk to Microsoft if you want this changed... Greetings, Stefan Winter
here is the output od radiusd -X with example login through windows phone 7 device. It's a .txt file on my google drive. Thank you
https://drive.google.com/file/d/0B9T3_pXPBXRnZklXRjJDcmVHek0/view?usp= sharing (https://drive.google.com/file/d/0B9T3_pXPBXRnZklXRjJDcmVHek0/view?usp=sharin...)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan Buxey -
Stefan Winter -
Tomáš Ivánek