WPA2-Entreprise: which certificate to avoid changing Validate server certificate for Windows guest ?
oza.4h07 at gmail.com
Mon Sep 10 10:31:30 CEST 2018
Thanks Olivier for replying here.
Le lun. 10 sept. 2018 à 09:58, Olivier <Olivier.Nicole at cs.ait.ac.th> a
> > Currently, Windows guests need to follow a rather long and error prone
> > process like the one described in .
> > The core of this process, is, if I'm not mistaken, to change a default
> > value in Protected EAP Properties configuration window.
> > This default value that needs to changed is the "Validate server
> > certificate" one: its default value is checked (see point 9 in referenced
> > doc).
> > My understanding of this default value is that, "by default, Windows will
> > validate Server Certicate using a list of Trusted Root Certificate
> > Authorities and if no Server Certificate is received then connection is
> > refused with a somehow misleading "Incorrect password" error message"..
> In my environment, where the certificate is valid, signed by a trusted
> root (Let's Encrypt), the user still has to accept the certificate the
> first time he makes a connection.
> See step 7 and 8 of
> It seems that the list of trusted roots for WAP2 is different from the
> list of trusted roots used by your browser.
> If your goal is just to let the user validate the certificate, instead
> of modifying the connection (it is tricky and error prone) just let them
> manually validate the certificate the first time they connect, it is
> faster. easier and goes in the flow.
> > My questions are:
> > 1- In this context, is correct to say the Server Certicate Windwos is
> > refering to, is a file somewhere in /etc/freeradius directory ? If
> > positive, how does it look like ? A .pem file ? A .der file ?
> > 2- Is it correct to hope that "if WiFi guests are somehow given such a
> > Server Certificate file before trying to connect, they won't need to
> > Protected EAP Properties" ?
> I never managed to do that.
Looking at , Eduroam's Windows process is much longer and error-prone
than Android's one
My goal is simplify this process on Windows machines to the point that
guests would only have to fill in their login/password after importing a
Do you think this can be achieved ?
If I'm correctly reading your answer, the answer is (unfortunately) No.
> I hope that helps,
> > Best regards
> > 
> > -
> > List info/subscribe/unsubscribe? See
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users