Windows 10 in domain connects but fails to manually reconnect

Nick Howitt nick at howitts.co.uk
Wed May 9 21:54:48 CEST 2018



On 09/05/2018 19:35, Nick Howitt wrote:
> On 09/05/2018 19:03, Alan Buxey wrote:
>> without further details I'd say you checked the 'do not prompt' for
>> certificate..so it was connected but wont reconnect because its not
>> happy about the CA or RADIUS cert.
>> just ensure you've imported the CA used for the RADIUS server into the
>> correct root authority store so that the client is happy with the
>> server cert.
>> you really SHOULD have all those things (CommonName filled and CA
>> selected etc) - if doing a windows domain this is VERY easy with a GPO
>> that can be just pushed to
>> all Windows clients in the domain.
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> Yes, I have unchecked "Verify server's identity by validating the 
> certificate" so I would have expected Windows not to worry that it was 
> signed by Radius's own CA. I have configured CN and SubjectAltName to 
> be the same resolvable FQDN, and the correct M$ extensions. I can't do 
> GPO as this is an old style NT domain in Samba, but I'll give 
> importing the CA a go just in case. I'm still confused why it would 
> accept a certificate first time round but not subsequently but I know 
> Windows does have idiosyncrasies.
>
> FWIW the domain is a test server at home with one PC connected to it .
>
> Nick
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
Totally puzzled. I've imported the ca.crt (as ca.der) as a Trusted Root 
Certification Authority and allowed 802.1x to use it. First time round 
it prompts me that is is not a trusted certificate (odd as it is 
imported as a Trusted Certificate), but if I disconnect and try to 
reconnect it does not prompt me again, nor does it if I switch user ans 
switch back. After a manual disconnect, the only way I can reconnect is 
to log off and back on or switch users and switch back. It must be a 
Windows thing somewhere.


More information about the Freeradius-Users mailing list