Cannot connect to Win10 PC with client certificate (no connection possible)
uj2.hahn at posteo.de
uj2.hahn at posteo.de
Thu Jan 16 16:14:54 CET 2020
Hi, Alan and all!
On 16.01.2020 15:32, Alan DeKok wrote:
> On Jan 16, 2020, at 9:05 AM, uj2.hahn at posteo.de wrote:
>> Hi!
>> I think I got it to work!!
> That's good. For the benefit of others reading this, what was wrong?
I tried so many things on Win 10 side and regenerated so many certs on
freeradius side
that I finally lost the overview :-)
So I cannot say which detail made the deal.
However, this is what I did:
- install CA certificate on PC
- install client certificate on PC ( the one which looks like an
email..., remember the common-name
because this is the username which will be used for your radius
authorization)
- now create a WLAN profile for this which confused me most because it
is a pain on Win 10!
Properties for wireless networks: (I translate that from my German
PC, so the correct English
wording might be slightly different):
Security settings:
> Security type: WPA2-Enterprise
> Encryption type: AES
> Method for network authentification: Microsoft: Secured EAP (PEAP)
-> Settings:
- check server by certificate
- authentification method: secured password (EAP-MSCHAP v2)
* Setting: disable usage of own Win credentials
- enable fast recovery of connection (the other check boxes
are not enabled)
> Advanced settings:
-> authentification mode: User authentification
I currently use freeradius with LDAP on OpenLDAP. Here I had to add a
user which is the
same as the common-name in my client certificate above.
At the very end it is not soooooo complicated (as everything you finally
understood). But
the learning cycle was long.
>
>> To refresh the memory: Radius based WLAN access control in a school for students and teachers. But there
>> are some school-owned Win 10 tablets which should be able to login automatically via Radius client certificates.
>> It seems it is working now! Thanks for your great support!
> Good to hear.
>
>> Can you guys do me the favor to confirm that everything is going right with the certs (see debug file below)?
> If there's an Access-Accept and the system gets on WiFi, it's OK. Nothing else matters.
>
>> Once you confirm, then I have a new question:
>> We use a Captive Portal connected to the freeradius server. This is fine to let user accept terms and conditions etc.
>> But for the special user behind the client certificate ("RadiusClient") we don't want to see this Captive Portal web site.
>> Is there anything freeradius can do or is it purely a CP configuration thing?
> You need to bypass the captive portal completely. It has nothing to do with FreeRADIUS.
>
> Typically you have a "closed" SSID which requires EAP / certificates. Then, you have an "open" SSID which is controlled by the captive portal. You can't mix & match EAP and captive portals. The protocols are designed to make this impossible.
>
> Alan DeKok.
Yes, I expected that answer and configured the CP already exactly as you
proposed.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list