Windows 10 EAP-TTLS with client certificate
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Jan 22 02:20:08 CET 2020
> On 21 Jan 2020, at 20:02, Ján Máté <jan.mate at inf-it.com> wrote:
>
> Hi list,
>
> I successfully installed and configured our FreeRADIUS server with the following results:
>
> EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina)
> EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15
> EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
>
> The last option with Windows 10 produces the following error logs:
>
> (185) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
> tls: TLS_accept: Error in error
Mmm, an error in the error, OK.
> (185) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
That's a bit better.
> (185) eap_ttls: ERROR: System call (I/O) error (-1)
> (185) eap_ttls: ERROR: TLS receive handshake failed during operation
> (185) eap_ttls: ERROR: [eaptls process] = fail
> (185) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
You could try requiring the client certificate:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c#L84
But I honestly can't remember if that alters the handshake data the server sends to the client or just forces a handshake failure if the client doesn't provide a certificate.
Try it and report back :)
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list