RADIUS wifi not working on Windows with domain users

Forster Arnaud arnaud.forster at mwprog.ch
Tue Apr 10 11:21:55 CEST 2018

Hello Stefan and thanks for your help :)

with no problem, means that a box in coming and I've to enter a 
username/password from my domain users. Once this is made, my 
username/password are stored and they are not requested anymore. In this 
case I didn't install any certificate of my computer.

For computers registered into the domain, they are several cases :

With windows 10 , I can connect if I do that before entering my 
username/password to start my session. Once my session started, I can't 
connect anymore.

For Windows 7, as I can't connect before entering in a session, I tested 
2 different situations : 1 with a local account and 1 with a domain 
account. In both cases I can't connect to my wifi and the certificate 
error is coming.

My domain is a samba domain so I don't think (but not sure) I can use 
GPOs for this ..

Thanks very much for your help


Le 10.04.2018 à 11:04, Stefan Winter a écrit :
> Hi,
>> Yes but only for computer which are registered to the samba domains. For
>> other ones there's no problem
> With no problem, do you mean:
> - there's a box coming up on the first time, and the user can click
> "Connect", and then things work
> or
> - you are provisioning all the non-AD client devices with the needed CA
> and server name details, and they can connect automatically
> If the former, this in not "no problem"  but a gaping security hole.
> If the latter: good job on the BYOD clients. Now, for the AD-joined
> machines, you probably you need to install the CA via GPOs and mark it
> as trusted for the *Wi-Fi* login use case. Just being in the generic CA
> trust store is *not* enough.
> Greetings,
> Stefan Winter
>> Le 10.04.2018 à 10:36, Arran Cudbard-Bell a écrit :
>>>> On Apr 10, 2018, at 2:34 PM, Arnaud Forster
>>>> <arnaud.forster at mwprog.ch> wrote:
>>>> Hello Alan,
>>>> Thanks for your answer. So I checked the log and the only thing I've
>>>> when a computer belonging to the domain tries to connect is the
>>>> following :
>>>> Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional
>>>> connection (24), 1 of 29 pending slots used
>>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert
>>>> read:fatal:unknown CA
>>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept:
>>>> Failed in SSLv3 read client key exchange A
>>>> Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in
>>>> __FUNCTION__ (SSL_read)
>>>> So I tried to install the ca.der key on the windows client system but
>>>> the error remains
>>> Client doesn't know/trust the CA that signed your server certificate.
>>> -Arran
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list