RADIUS wifi not working on Windows with domain users

Forster Arnaud arnaud.forster at mwprog.ch
Tue Apr 10 11:48:37 CEST 2018

Oooh I see now,

thanks for the informations, I'll have a deeper look into this ;)

My Samba AD is NT-domain style .. :(

Thanks very much for your help :)


Le 10.04.2018 à 11:27, Stefan Winter a écrit :
> Hello,
>> with no problem, means that a box in coming and I've to enter a
>> username/password from my domain users. Once this is made, my
>> username/password are stored and they are not requested anymore. In this
>> case I didn't install any certificate of my computer.
> That's what I meant with "gaping security hole". An attacker can simply
> set up a Wi-Fi network with the same SSID and arbitrary RADIUS server,
> and your computer will happily send your username and password to that
> rogue attacker when in the vicinity.
> In order to achieve security, a client device MUST verify the
> server-side certificate. And that means installing the CA, mark it as
> the CA to trust for this particular Wi-Fi network, and pinning the
> expected server name.
> I.e. your perception of you not having a problem is wrong.
> There are tools that allow you to specify your deployment details and
> get an installer that does the right settings out of it. One example is
> https://802.1x-config.org
>> For computers registered into the domain, they are several cases :
>> With windows 10 , I can connect if I do that before entering my
>> username/password to start my session. Once my session started, I can't
>> connect anymore.
>> For Windows 7, as I can't connect before entering in a session, I tested
>> 2 different situations : 1 with a local account and 1 with a domain
>> account. In both cases I can't connect to my wifi and the certificate
>> error is coming.
>> My domain is a samba domain so I don't think (but not sure) I can use
>> GPOs for this ..
> If it's a Samba 4 AD server, you should be able to. If it's a Samba 3
> "NT-Domain" style server, then no.
> Greetings,
> Stefan Winter

More information about the Freeradius-Users mailing list