WPA2-Entreprise: which certificate to avoid changing Validate server certificate for Windows guest ?

Olivier oza.4h07 at gmail.com
Mon Sep 10 10:31:30 CEST 2018


Thanks Olivier for replying here.

Le lun. 10 sept. 2018 à 09:58, Olivier <Olivier.Nicole at cs.ait.ac.th> a
écrit :

> Hi,
>
> > Currently, Windows guests need to follow a rather long and error prone
> > process like the one described in  [1].
> > The core of this process, is, if I'm not mistaken, to change a default
> > value in Protected EAP Properties configuration window.
> > This default value that needs to changed is the "Validate server
> > certificate" one: its default value is checked (see point 9 in referenced
> > doc).
> >
> > My understanding of this default value is that, "by default, Windows will
> > validate Server Certicate using a list of Trusted Root Certificate
> > Authorities and if no Server Certificate is received then connection is
> > refused with a somehow misleading "Incorrect password" error message"..
>
> In my environment, where the certificate is valid, signed by a trusted
> root (Let's Encrypt), the user still has to accept the certificate the
> first time he makes a connection.
>
> See step 7 and 8 of
> https://www.cs.ait.ac.th/joomla3/index.php/eduroam-set-up
>
> It seems that the list of trusted roots for WAP2 is different from the
> list of trusted roots used by your browser.
>
> If your goal is just to let the user validate the certificate, instead
> of modifying the connection (it is tricky and error prone) just let them
> manually validate the certificate the first time they connect, it is
> faster. easier and goes in the flow.
>
> > My questions are:
> > 1- In this context, is correct to say the Server Certicate Windwos is
> > refering to, is a file somewhere in /etc/freeradius directory ? If
> > positive, how does it look like ? A .pem file ? A .der file ?
> >
> > 2- Is it correct to hope that  "if WiFi guests are somehow given such a
> > Server Certificate file before trying to connect, they won't need to
> change
> > Protected EAP Properties" ?
>
> I never managed to do that.
>

Looking at [2], Eduroam's Windows process is much longer and error-prone
than Android's one
[2] https://www.cs.ait.ac.th/joomla3/index.php/eduroam-set-up

My goal is simplify this process on Windows machines to the point that
guests would only have to fill in their login/password after importing a
file.
Do you think this can be achieved ?
If I'm correctly reading your answer, the answer is (unfortunately) No.



> I hope that helps,
>
> Olivier
>
> >
> > Best regards
> >
> > [1]
> >
> https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_WPA2-Enterprise_in_Windows_Vista_and_Windows_7
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> --
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list