Windows 7, wired 802.1x, native EAP-TLS w/o AD, NPS
Timo Buhrmester
timo.buhrmester at fhr.fraunhofer.de
Mon Apr 10 13:23:19 CEST 2017
Thanks for your replies.
> Basically, follow all those fine instructions for wireless, and do them
> on the wired interface instead.
The thing is, all those fine instructions seem to start with
going via dialogs that are specifically about to wireless networks.
It's not like there's some configuration which I could simply s/wlan0/eth0/g.
E.g. "Connect to a network", "Manage wireless networks", "Add a wireless
network", etc. Some of those aren't even visible unless the machine
in question has a WiFi Adapter.
I've looked at:
https://supportforums.cisco.com/document/128096/configure-wireless-clients-running-windows-7-eap-tls-authentication-nps-radius
Garbage, also assumes NPS
https://msdn.microsoft.com/en-us/library/dd759246(v=ws.11).aspx
Seems to deal with the server-side only, assumes NPS and AD
https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_EAP-TLS_in_Windows_7
There's no "Manage wireless networks" without WiFi Hardware present.
Adding some, it asks for things like SSID, which doesn't exist on
wired networks.
https://youtu.be/UBE5s6qY5xY
Windows XP
..and a ton of other resources.
What *seems* to come closest, is to enable 802.1x authentication (possible
on the wired interface if the Wired Autoconfig service is running),
selecting "Microsoft SmardCard or other certificate" (which I assume is
a code for EAP-TLS since the only other option is PEAP -- or is the Windows-
way to do PEAP/EAP-TLS?), but the machine never reacts to the
"Request Identity" packet (even though it does transmit an EAPOL Start").
Occasionally it will inform me that "A certificate is required to connect
to this network", but that's about it. Needless to point out, the
aproporiate CA and client certificates are imported into the Windows
certificate store. Oddly enough, the machine realizes that a certificate is
needed without anything hitting the RADUIS server.
What a giant clusterf*ck.
If you do have a resource that actually does map to wired networks even
though written for wireless, please share.
Thanks,
Timo
More information about the Freeradius-Users
mailing list