WPA2 Enterprise with Windows 7

HCC Lists hcc.lists at gmail.com
Fri Feb 20 16:51:52 CET 2015


On 2/20/2015 2:03 AM, Stefan Winter wrote:
> Hello,
>
>>  From what I have read I need to have a certificate for using WPA2
>> Enterprise. I would prefer not having to go to each machine spread
>> geographically around a fairly wide area to install a CA certificate. Is
>> it possible to use a purchased certificate so that Windows 7 recognizes
>> it and will connect?
> You can use such a certificate, but you still need to manually mark it
> as trusted for WPA2 Enterprise purposes (none of the installed CAs
> qualify "autoamgically", trust is configured explicitly).

Okay, so if I need to touch every computer anyway there is no real 
advantage to getting a commercial certificate.
> There's more to configure client-side than just install a CA certificate
> or mark it as trusted. Things like anonymous outer identity are nice
> features, but involve ticking the right boxes on the machines.
My main purpose is for logging of what AP is being used by what device 
and when. There are several laptops running Windows 7 and/or 8 which are 
not on a domain so group policies are not an option. There are also a 
number of BlackBerry smartphones which I can control from the management 
server. For those I should be able to push out a certificate and send 
the updated WiFi configuration to them automatically. The AP's are 
various D-Link routers running DD-WRT. I put together a test setup, but 
I had to jump through some hoops to get a Windows 7 machine to connect, 
but that was because of the cert not being recognized.

I guess my next step is to generate a CA cert etc.
> There are tools which do that for you. Windows group policies can do it
> for Windows clients. For BYOD scenarios, web services like
> https://802.1x-config.org cover a wider range of clients (free, with
> some paid-for optional upgrades: https://802.1x-config.org/tour4.php ).
>
> If your project is by any chance related to the eduroam roaming
> consortium, your instance of this web service would be
> https://cat.eduroam.org which has the richest feature set, entirely for
> free for eduroam participants.
Nope, not eduroam.

Thanks,
Michael


More information about the Freeradius-Users mailing list