Windows 10 EAP-TTLS with client certificate
Ján Máté
jan.mate at inf-it.com
Wed Jan 22 02:26:18 CET 2020
Hi Arran,
the require_client_cert was set to true during my "EAP-TTLS + PAP (LDAP auth) + client cert" tests ... is there anything else to try?
Regards,
JM
> On 22 Jan 2020, at 02:20, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>
>> On 21 Jan 2020, at 20:02, Ján Máté <jan.mate at inf-it.com> wrote:
>>
>> Hi list,
>>
>> I successfully installed and configured our FreeRADIUS server with the following results:
>>
>> EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina)
>> EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15
>> EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
>>
>> The last option with Windows 10 produces the following error logs:
>>
>> (185) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
>> tls: TLS_accept: Error in error
>
> Mmm, an error in the error, OK.
>
>> (185) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
>
> That's a bit better.
>
>> (185) eap_ttls: ERROR: System call (I/O) error (-1)
>> (185) eap_ttls: ERROR: TLS receive handshake failed during operation
>> (185) eap_ttls: ERROR: [eaptls process] = fail
>> (185) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
>
> You could try requiring the client certificate:
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c#L84
>
> But I honestly can't remember if that alters the handshake data the server sends to the client or just forces a handshake failure if the client doesn't provide a certificate.
>
> Try it and report back :)
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list