FR3 - EAP-[T]LS - Win10

Alan DeKok aland at
Mon Oct 14 02:42:13 CEST 2019

On Oct 13, 2019, at 2:31 PM, Ted Hyde (RSI) <thyde at> wrote:
> I've been tasked with rolling over some of our *pple *pads which were perfectly happy with EAP-TLS and and an FR3 service to Win10 PC supplicants. Admittedly, the recent releases of ios have EAP-TLS as a manual choice, and many of my commercial network friends advocate EAP-TTLS instead as most of their supplicants are people who BYOD and are thus user authenticated against a single huge network. For my instance, I want to stay with machine auth;  ...


> Having attempted WinXP/Vista/7/8.1 with the xpextensions fix but never actually having success with it a long time ago,

  The certificate scripts distributed with FreeRADIUS have been there (and worked) since 3.0.0 was released.

> I was trying to find recent tutorials (written preferably in 2019 at least) that walked through a path of FR3, EAP-TLS and Win10. I have not really been successful. Even the pointers to didn't pan out, (site seems to have been thinned of late)

  The content is the same as always.  Nothing has been deleted.  Maybe the screen caps aren't up to date with Windows 10, but the basic process hasn't changed.

  How about giving information about what you tried, and what went wrong?  "I tried stuff and it didn't work" isn't helpful.

> and I am of the belief through some other research that EAP-TLS is becoming less useful and EAP-TTLS is getting the preferential treatment despite apparently EAP-TTLS under certain conditions being ranked as "less secure" (PAP-leading, for example). I do recall a very in depth slide show a bit ago discussing that topic.

  Most of that discussion is nonsense.  You can do EAP-TTLS with client certificates if necessary.  The whole "less secure" thing is because people remember passwords.  They don't remember client certs.  But it's possible to install the same client cert on multiple machines.  Just like it's possible to enter one password on multiple machines.

> Does anyone have an FR3/EAP-[T]TLS/Win10 tutorial that is tested functional that they would be willing to point to?

  My site works.  If you have *specific* questions about one step, ask.

> If TTLS, is there a practice that would replicate the points above (the difficult to copy credential aspect in particular) of TLS? Cert generation would preferably be via openssl and FR3's scripting. Replicating certs to the remote sites is already part of my existing workflow.

  Use client certs with TTLS.  Many supplicants support it.

> And of course, the great opinion request - is EAP-TLS under FR3 against Win10 a lost proposition? One specific protocol and its traditional implementation may not be the only option here; out of the box thinking is encouraged, so suggest away.

  Tons of people use EAP-TLS, FreeRADIUS, and Windows 10.  It's fine.  It works.

  Alan DeKok.

More information about the Freeradius-Users mailing list