Windows 7, wired 802.1x, native EAP-TLS w/o AD, NPS

Timo Buhrmester timo.buhrmester at
Mon Apr 10 10:46:59 CEST 2017

Hello list,

I'm trying to implement 802.1x/EAP-TLS on a wired network.
Getting that to work on Linux clients was reasonably straightforward
using wpa_supplicant (and freeradius as the back-end).

However, we also have Windows (7) clients on the network, and I'm
having issues setting that up.  It is my understanding that
a) EAP-TLS is mandatory for systems that claim to support 802.1x
b) Windows claims to support 802.1x.

Unfortunately, every resource I could find either assumes there's
an Active Directory infrastructure (which, fortunately, we don't
use here) and other shady things involved (NPS -- seems to be
sort of an ersatz-radius), OR talks about wireless, OR refers
to other versions of Windows, OR ...  None seems to describe the
combination Windows 7, native supplicant, freeradius, no AD/NPS.

So my question, although not directly freeradius-related, is:
Does anyone have experience setting up EAP-TLS on a wired network
on Windows 7 clients?  Is AD strictly required?  If so, I wonder
how Windows could get away claiming to support 802.1x.

I.e.: Does anybody know whether this is possible *at all*?

I'm already considering trying 3rd party supplicants, but I'd much
rather go with the native one.


More information about the Freeradius-Users mailing list