WPA2-Entreprise: which certificate to avoid changing Validate server certificate for Windows guest ?

Olivier Olivier.Nicole at cs.ait.ac.th
Mon Sep 10 09:58:14 CEST 2018


> Currently, Windows guests need to follow a rather long and error prone
> process like the one described in  [1].
> The core of this process, is, if I'm not mistaken, to change a default
> value in Protected EAP Properties configuration window.
> This default value that needs to changed is the "Validate server
> certificate" one: its default value is checked (see point 9 in referenced
> doc).
> My understanding of this default value is that, "by default, Windows will
> validate Server Certicate using a list of Trusted Root Certificate
> Authorities and if no Server Certificate is received then connection is
> refused with a somehow misleading "Incorrect password" error message"..

In my environment, where the certificate is valid, signed by a trusted
root (Let's Encrypt), the user still has to accept the certificate the
first time he makes a connection.

See step 7 and 8 of

It seems that the list of trusted roots for WAP2 is different from the
list of trusted roots used by your browser.

If your goal is just to let the user validate the certificate, instead
of modifying the connection (it is tricky and error prone) just let them
manually validate the certificate the first time they connect, it is
faster. easier and goes in the flow.

> My questions are:
> 1- In this context, is correct to say the Server Certicate Windwos is
> refering to, is a file somewhere in /etc/freeradius directory ? If
> positive, how does it look like ? A .pem file ? A .der file ?
> 2- Is it correct to hope that  "if WiFi guests are somehow given such a
> Server Certificate file before trying to connect, they won't need to change
> Protected EAP Properties" ?

I never managed to do that.

I hope that helps,


> Best regards
> [1]
> https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_WPA2-Enterprise_in_Windows_Vista_and_Windows_7
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list