Cannot connect to Win10 PC with client certificate (no connection possible)

uj2.hahn at uj2.hahn at
Thu Jan 16 16:14:54 CET 2020

Hi, Alan and all!

On 16.01.2020 15:32, Alan DeKok wrote:
> On Jan 16, 2020, at 9:05 AM, uj2.hahn at wrote:
>> Hi!
>> I think I got it to work!!
>    That's good.  For the benefit of others reading this, what was wrong?
I tried so many things on Win 10 side and regenerated so many certs on 
freeradius side
that I finally lost the overview :-)
So I cannot say which detail made the deal.
However, this is what I did:
- install CA certificate on PC
- install client certificate on PC ( the one which looks like an 
email..., remember the common-name
   because this is the username which will be used for your radius 
- now create a WLAN profile for this which confused me most because it 
is a pain on Win 10!
   Properties for wireless networks: (I translate that from my German 
PC, so the correct English
   wording might be slightly different):
   Security settings:
   > Security type: WPA2-Enterprise
   > Encryption type: AES
   > Method for network authentification: Microsoft: Secured EAP (PEAP)
      -> Settings:
          - check server by certificate
          - authentification method: secured password (EAP-MSCHAP v2)
             * Setting: disable usage of own Win credentials
          - enable fast recovery of connection (the other check boxes 
are not enabled)
   > Advanced settings:
      -> authentification mode: User authentification

I currently use freeradius with LDAP on OpenLDAP. Here I had to add a 
user which is the
same as the common-name in my client certificate above.
At the very end it is not soooooo complicated (as everything you finally 
understood). But
the learning cycle was long.
>> To refresh the memory: Radius based WLAN access control in a school for students and teachers. But there
>> are some school-owned Win 10 tablets which should be able to login automatically via Radius client certificates.
>> It seems it is working now! Thanks for your great support!
>    Good to hear.
>> Can you guys do me the favor to confirm that everything is going right with the certs (see debug file below)?
>    If there's an Access-Accept and the system gets on WiFi, it's OK.  Nothing else matters.
>> Once you confirm, then I have a new question:
>> We use a Captive Portal connected to the freeradius server. This is fine to let user accept terms and conditions etc.
>> But for the special user behind the client certificate ("RadiusClient") we don't want to see this Captive Portal web site.
>> Is there anything freeradius can do or is it purely a CP configuration thing?
>    You need to bypass the captive portal completely.  It has nothing to do with FreeRADIUS.
>    Typically you have a "closed" SSID which requires EAP / certificates.  Then, you have an "open" SSID which is controlled by the captive portal.  You can't mix & match EAP and captive portals.  The protocols are designed to make this impossible.
>    Alan DeKok.

Yes, I expected that answer and configured the CP already exactly as you 
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list