Windows 10 EAP-TTLS with client certificate
mcn at freeradius.org
Wed Jan 22 13:48:18 CET 2020
On Wed, 2020-01-22 at 08:08 +0100, Tomasz Wolniewicz wrote:
> W dniu 22.01.2020 o 03:13, Alan DeKok pisze:
> > On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate at inf-it.com> wrote:
> > > I successfully installed and configured our FreeRADIUS server
> > > with the following results:
> > >
> > > EAP-TLS => works on Windows 10, iOS 13, macOS 10.15
> > > (Catalina)
> > > EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13,
> > > macOS 10.15
> > > EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on
> > > Windows 10, but works on iOS 13, macOS 10.15
> > Windows doesn't do client certificates for TTLS. :(
> You can certainly configure EAP-TLS as the inner method for TTLS in
> the native Windows 10 TTLS, not sure if it will actually work though.
PEAP/EAP-TLS definitely works (or, at least it works on Windows 7). The
only real benefit was to get SoH along with EAP-TLS.
But as Microsoft removed SoH in Windows 10, there's not likely much
point having PEAP in the mix any more, it just adds round trips.
I'm guessing that EAP-TTLS/EAP-TLS may also work if the above still
works, but again doubt there's much point.
The obvious benefit to client certificates with PEAP or EAP-TTLS
directly would be to require presentation of a client certificate
(outer) alongside the username and password (inner). Unless they've
changed something recently, as Alan said, that's not possible.
More information about the Freeradius-Users