TTLS+PAP with Windows

Herman Øie Kolden herman at
Tue Mar 14 00:56:08 CET 2017


I am running FreeRADIUS 2.2.5 on Debian 8.7 (Jessie). The RADIUS server
is using TTLS+PAP.

I am trying to find a good way to authenticate the server to Windows
clients. With macOS, Linux, Android etc., I am using a custom self signed CA
certificate. On these devices it is possible to specify that this
certificate is only usable for a specific SSID. However, for Windows I
have found no way to accomplish this. To make it work, I have to install
the CA certificate in the "Trusted Root CA" store. This is rather
inconvenient. If I (against all odds) lose the private key, the attacker
could use it to issue certificates for web pages, and the Windows
clients would accept them.

One of the options I have considered is make FreeRADIUS present multiple
certificates simultaneously: an LE certificate for Windows and the self
signed CA certficiate for other clients. As Windows clients already
trust LE, they should also accept the server certificate.

1) Is it possible to use LE certificates with FreeRADIUS?

2) Is it possible to make the server present multiple certificates?

The reason for wanting multiple certificates, is that a complete switch
to LE would require reconfiguring all the non-Windows clients that use
the CA certificate.

Naturally, all thoughts concerning EAP and Windows are also welcome.

Thanks in advance!

Herman Øie Kolden
Trondheim, Norway

More information about the Freeradius-Users mailing list