RADIUS Questions

Garber, Neal Neal.Garber at iberdrolausa.com
Tue Jul 26 22:53:35 CEST 2011

> I don't think that I'm using the supplicant but I could 
> be wrong. 

The supplicant is the software on the client device that
manages wireless profiles/connections.  If Windows 
controls the wireless connections (Wireless Zero Config service) then you are using the Windows supplicant.

> I'm running FreeRadius 2.1.7-7.e15 ( I believe this is the 
> latest) with freeradius2-krb5-2.1.7-7.e15 and freeradius2-
> utils-2.1.7-7.e15.

2.1.7 is old!  2.1.11 is the latest version of FreeRADIUS..

> I'm pretty sure I'm using PEAP.

This would be obvious in the wireless settings on the

> I realize that and I'm going to work on using our wild 
> card cert to better secure this. However the question 
> still arises on will our SSL cert validate properly on a 
> Windows system. When I initially set this up I never saw 
> anything regarding and 802.11x config. After updating I seem 
> to remember seeing this config file mentioned.

Windows clients require that certain extensions be present
in the certificate (you can thank Microsoft for that - it's
not a FreeRADIUS issue).  If most of the machines are not joined to your domain and are personal devices and you want easy access, you'll want to use a certificate signed by a CA
that's in the Windows root CA list.  Just be aware that 
this is not as secure as an internal or self-signed cert. because any certificate from the CA you choose would be
accepted (even if it's from someone else's RADIUS server);
but, the alternative is that you would need to distribute 
the CA's cert to each user that wants to connect.  

I can't answer your question regarding whether 
your SSL cert will validate properly on Windows because
you haven't said how it was generated? Is it self-signed?
Is it signed by a CA that's in the root CA list of a
device you were using to test?  Does it include the 
required Windows extensions?  There have been considerable
discussion on the mailing list regarding the creation 
of certs that will work with Windows clients.  Google is
your friend (along with the doc inside the FR files).

> Like I mentioned above not all, actually few machines, are 
> managed via our AD server. I would love to change this but it 
> would require far more administrative changes that I'm unable 
> to make.

Makes sense..

> Like I mentioned our Windows versions vary from XP to 7. 

I thought, but can't verify right now, that starting with
Vista, Windows will connect using PEAP without manual 
wireless configuration (i.e., it doesn't assume TLS 
as a default the way XP does). Perhaps your only issue 
with Vista/7 is that the cert doesn't have the required extensions or isn't signed by a CA that's in the root CA 
list of the device?

More information about the Freeradius-Users mailing list