RADIUS wifi not working on Windows with domain users
Forster Arnaud
arnaud.forster at mwprog.ch
Tue Apr 10 11:21:55 CEST 2018
Hello Stefan and thanks for your help :)
with no problem, means that a box in coming and I've to enter a
username/password from my domain users. Once this is made, my
username/password are stored and they are not requested anymore. In this
case I didn't install any certificate of my computer.
For computers registered into the domain, they are several cases :
With windows 10 , I can connect if I do that before entering my
username/password to start my session. Once my session started, I can't
connect anymore.
For Windows 7, as I can't connect before entering in a session, I tested
2 different situations : 1 with a local account and 1 with a domain
account. In both cases I can't connect to my wifi and the certificate
error is coming.
My domain is a samba domain so I don't think (but not sure) I can use
GPOs for this ..
Thanks very much for your help
Arnaud
Le 10.04.2018 à 11:04, Stefan Winter a écrit :
> Hi,
>
>> Yes but only for computer which are registered to the samba domains. For
>> other ones there's no problem
> With no problem, do you mean:
>
> - there's a box coming up on the first time, and the user can click
> "Connect", and then things work
>
> or
>
> - you are provisioning all the non-AD client devices with the needed CA
> and server name details, and they can connect automatically
>
> If the former, this in not "no problem" but a gaping security hole.
>
> If the latter: good job on the BYOD clients. Now, for the AD-joined
> machines, you probably you need to install the CA via GPOs and mark it
> as trusted for the *Wi-Fi* login use case. Just being in the generic CA
> trust store is *not* enough.
>
> Greetings,
>
> Stefan Winter
>
>>
>> Le 10.04.2018 à 10:36, Arran Cudbard-Bell a écrit :
>>>> On Apr 10, 2018, at 2:34 PM, Arnaud Forster
>>>> <arnaud.forster at mwprog.ch> wrote:
>>>>
>>>> Hello Alan,
>>>>
>>>> Thanks for your answer. So I checked the log and the only thing I've
>>>> when a computer belonging to the domain tries to connect is the
>>>> following :
>>>>
>>>> Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional
>>>> connection (24), 1 of 29 pending slots used
>>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert
>>>> read:fatal:unknown CA
>>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept:
>>>> Failed in SSLv3 read client key exchange A
>>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in
>>>> __FUNCTION__ (SSL_read)
>>>>
>>>> So I tried to install the ca.der key on the windows client system but
>>>> the error remains
>>> Client doesn't know/trust the CA that signed your server certificate.
>>>
>>> -Arran
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list