Windows 7, wired 802.1x, native EAP-TLS w/o AD, NPS

Stefan Winter stefan.winter at restena.lu
Mon Apr 10 13:31:34 CEST 2017 

Hi,

> What *seems* to come closest, is to enable 802.1x authentication (possible
> on the wired interface if the Wired Autoconfig service is running),
> selecting "Microsoft SmardCard or other certificate" (which I assume is
> a code for EAP-TLS since the only other option is PEAP -- or is the Windows-
> way to do PEAP/EAP-TLS?),

That's right. "Other certificate" is what you need.

> but the machine never reacts to the
> "Request Identity" packet (even though it does transmit an EAPOL Start").
> 
> Occasionally it will inform me that "A certificate is required to connect
> to this network", but that's about it.  Needless to point out, the
> aproporiate CA and client certificates are imported into the Windows
> certificate store.  Oddly enough, the machine realizes that a certificate is
> needed without anything hitting the RADUIS server.
> 
> What a giant clusterf*ck.

Many people do what you try to do without issues. If it doesn't work,
the problem is most likely on your own end. You shouldn't give yourself
names like that.

> If you do have a resource that actually does map to wired networks even
> though written for wireless, please share.

Random searches on DuckDuckGo quickly turned up this:

https://lapserv.maths.cam.ac.uk/docs/win7_eduroam_wired.html

(did you for example check that it's "user authentication", not machine
authentication?)

This is for PEAP obviously, but the difference between PEAP and TLS is
that it's a different drop-down entry in one of the screenshots.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170410/52f679e7/attachment.sig>

More information about the Freeradius-Users mailing list