Configuring Windows 7 for a WPA2-Enterprise (EAP-TLS) Secured Wireless Network

[Jasvinder S. Bahra]

Hi,

I have setup a WPA2-Enterprise secured WiFi Access Point that authenticates 
connections via FreeRadius v3.0.4, using EAP-TLS running on a FreeBSD 
machine.  Please note that I generated a CA certificate, a server 
certificate, the various client certificates and the Diffie Hellman file 
using the ssl-admin tool.

I created a client certificate for an android device by creating a "one-step 
request/sign" in ssl-admin, and then created a keyfile bundle using openssl 
via a command that looks something like this...

openssl pkcs12 -export -out client_android.p12 -in 
./active/client_android.pem -inkey ./active/client_android.key -certfile 
/usr/local/etc/ssl-admin/active/ca.crt

I imported the generated file onto the device, and it can now successfully 
access the secured wireless network.

I now need to do something similar for a Microsoft Windows 7 machine.  From 
what I have been able to determine, I need to install two certificates - a 
CA certificate in the machines trusted root certificate authority store, and 
a client certificate in the machines personal certificate store.

I installed the ca.crt file in the trusted root certificate authority store.

I generated a client certificate using ssl-admin again, and then created a 
bundle file, via a command that looks something like this...

openssl pkcs12 -export -out client_win7_bundle.p12 -in 
./active/client_win7.crt -inkey ./active/client_win7.key

I then installed the bundle file in the personal certificate store.

On the client machine, I then navigated to Control Panel > Network and 
Sharing Centre > Manage wireless networks > Add button > Manually create a 
network profile.  I entered a network name, selected "WPA2-Enterprise" for 
the security type, AES as the encryption type, and clicked the Next button. 
I then clicked Change connection settings and then the Security tab.  I 
changed the network authentication method to "Microsoft: Smart card or other 
certificate".  I then selected advanced settings, and changed the 
authentication method to computer authentication.  I clicked OK and then 
clicked the Settings button.  In the Trusted Root Certification Authorities 
list, I selected the CA certificate installed earlier, and then OK'd all the 
dialogs to save the configuration.

Unfortunately, whenever I try and connect to the network, the connections 
fails to establish.  If I run freeradius in debug mode, it clearly displays 
the access request whenever I connect from my android client.  However, when 
the windows client tries, freeradius doesn't seem to respond.  To me, that 
strongly suggests the problem is on the windows side of things.

Does anyone have any suggestions for a way forward?

Regards,

Jazz