Windows 10: EAP-TTLS certificate not trusted
aland at deployingradius.com
Fri Mar 6 15:47:35 CET 2020
On Mar 4, 2020, at 2:44 PM, Joseph <freerad-user-created at optimusride.com> wrote:
> Hi, I'm trying to get EAP-TTLS set up, but the certificate is always
> asking for verification. This is failing on Windows 10, but tests out
> ok (without complaining) with eapol_test, radtest, and Ubuntu 16.04.
Because those systems are a little more forgiving, *and* they give you useful information about what goes wrong.
> This matches what I expect. The certificate information, on the radius server:
> This seems to meet the requirements of
> https://wiki.freeradius.org/guide/Certificate_Compatibility (extended
> key usage) and https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
> (CN and SAN defined and the same, not wild card, extended key usage:
> authentication, age). TLS1.2 is enabled and shows to be used (Windows
> 8+ requirement)
But... it's Windows. It decides it doesn't like things, and then doesn't work. Why does it to this? Who knows... and Windows definitely won't give you any hints here.
> The radius server certificate would seem to be trusted. Does anyone
> know what I might be missing?
Maybe it doesn't like short-lived certificates?
> ldap/eap configuration taken from
> https://github.com/hacor/unifi-freeradius-ldap, and I substituted in
> the ssl certificates. (Could the problem originate here?)
Maybe, but likely not.
As an aside, I'm not sure why these third-party documentation is needed. The server comes with *extensive* documentation on getting EAP and LDAP to work. Just follow the comments, do some simple tests, and it should be quick.
> The only thing missing is MTU/packet fragmentation, but I'm under the
> impression that's not happening -- or hoping. My network is just APs
> connected to a switch which routes to FreeRADIUS. FreeRADIUS then uses
> Google LDAP for authentication as EAP-TTLS/PAP.
The only option here is to get some more logs from Windows as to *why* it doesn't like the certificate. No amount of poking FreeRADIUS will get you that information.
More information about the Freeradius-Users