RADIUS wifi not working on Windows with domain users

Stefan Winter stefan.winter at restena.lu
Tue Apr 10 11:04:06 CEST 2018


Hi,

> Yes but only for computer which are registered to the samba domains. For
> other ones there's no problem

With no problem, do you mean:

- there's a box coming up on the first time, and the user can click
"Connect", and then things work

or

- you are provisioning all the non-AD client devices with the needed CA
and server name details, and they can connect automatically

If the former, this in not "no problem"  but a gaping security hole.

If the latter: good job on the BYOD clients. Now, for the AD-joined
machines, you probably you need to install the CA via GPOs and mark it
as trusted for the *Wi-Fi* login use case. Just being in the generic CA
trust store is *not* enough.

Greetings,

Stefan Winter

> 
> 
> Le 10.04.2018 à 10:36, Arran Cudbard-Bell a écrit :
>>
>>> On Apr 10, 2018, at 2:34 PM, Arnaud Forster
>>> <arnaud.forster at mwprog.ch> wrote:
>>>
>>> Hello Alan,
>>>
>>> Thanks for your answer. So I checked the log and the only thing I've
>>> when a computer belonging to the domain tries to connect is the
>>> following :
>>>
>>> Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional
>>> connection (24), 1 of 29 pending slots used
>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert
>>> read:fatal:unknown CA
>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept:
>>> Failed in SSLv3 read client key exchange A
>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in
>>> __FUNCTION__ (SSL_read)
>>>
>>> So I tried to install the ca.der key on the windows client system but
>>> the error remains
>> Client doesn't know/trust the CA that signed your server certificate.
>>
>> -Arran
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180410/3a663bde/attachment.sig>


More information about the Freeradius-Users mailing list