Windows 10 EAP-TTLS with client certificate
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Jan 22 15:43:38 CET 2020
> On Jan 22, 2020, at 7:48 AM, Matthew Newton <mcn at freeradius.org> wrote:
>
> On Wed, 2020-01-22 at 08:08 +0100, Tomasz Wolniewicz wrote:
>> W dniu 22.01.2020 o 03:13, Alan DeKok pisze:
>>> On Jan 21, 2020, at 8:02 PM, Ján Máté <jan.mate at inf-it.com> wrote:
>>>> I successfully installed and configured our FreeRADIUS server
>>>> with the following results:
>>>>
>>>> EAP-TLS => works on Windows 10, iOS 13, macOS 10.15
>>>> (Catalina)
>>>> EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13,
>>>> macOS 10.15
>>>> EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on
>>>> Windows 10, but works on iOS 13, macOS 10.15
>>>
>>> Windows doesn't do client certificates for TTLS. :(
>>
>> You can certainly configure EAP-TLS as the inner method for TTLS in
>> the native Windows 10 TTLS, not sure if it will actually work though.
>
> PEAP/EAP-TLS definitely works (or, at least it works on Windows 7). The
> only real benefit was to get SoH along with EAP-TLS.
>
> But as Microsoft removed SoH in Windows 10, there's not likely much
> point having PEAP in the mix any more, it just adds round trips.
>
> I'm guessing that EAP-TTLS/EAP-TLS may also work if the above still
> works, but again doubt there's much point.
>
> The obvious benefit to client certificates with PEAP or EAP-TTLS
> directly would be to require presentation of a client certificate
> (outer) alongside the username and password (inner). Unless they've
> changed something recently, as Alan said, that's not possible.
Yeah true, the supplicant would need to send credentials in the inner tunnel in addition to running EAP-TLS, which the windows supplicant doesn't support.
I guess the OP is SOL then :(
-Arran
More information about the Freeradius-Users
mailing list