PEAP with Machine auth
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 26 22:07:47 CEST 2011
On 10/26/2011 07:53 PM, Francois Gaudreault wrote:
> Correct me if I am wrong, but that should not be needed when you are not
> validating server certificate.
There are a few issues; let me try to lay them out.
First: it seems you MUST install the CA on the client (in one or both of
the user or machine store, depending on whether you're doing user or
machine-based auth). Authentication will simply fail if you don't
install the CA - although helpfully Windows does seem to send an
"invalid CA" TLS alert.
Second: If (and only if) you install the CA, then when you FIRST connect
to a network, you will be shown the dialog box "The connection attempt
could not be completed". In my testing, if you click "Continue", then
windows will:
a. Check the "Validate server certificate"
b. Leave the "Connect to these servers" (hostname/CN) blank
c. Check the box next to the CA cert
That is, windows will "trust on first use" (TOFU) the *specific* CA for
that *specific* connection profile (WLAN SSID or Wired "profile").
The text at the link given by the OP is misleading. The issue is not
whether the CA is a "Trusted" CA on the machine/user store as a whole.
It's whether it's trusted for *that specific connection* as a CA for
signing the authentication server cert.
I'm unsure whether the OP is clicking "Continue" at the prompt and it's
failing, or if he's not clicking "Continue" or not even being presented
with the option - but as I say, in my testing, TOFU works.
More information about the Freeradius-Users
mailing list