Windows 10: EAP-TTLS certificate not trusted

Alan DeKok aland at deployingradius.com
Fri Mar 6 15:47:35 CET 2020 

On Mar 4, 2020, at 2:44 PM, Joseph <freerad-user-created at optimusride.com> wrote:
> 
> Hi, I'm trying to get EAP-TTLS set up, but the certificate is always
> asking for verification. This is failing on Windows 10, but tests out
> ok (without complaining) with eapol_test, radtest, and Ubuntu 16.04.

  Because those systems are a little more forgiving, *and* they give you useful information about what goes wrong.

> This matches what I expect. The certificate information, on the radius server:

  That's good.

> This seems to meet the requirements of
> https://wiki.freeradius.org/guide/Certificate_Compatibility (extended
> key usage) and https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
> (CN and SAN defined and the same, not wild card, extended key usage:
> authentication, age). TLS1.2 is enabled and shows to be used (Windows
> 8+ requirement)

  Yes.

  But... it's Windows.  It decides it doesn't like things, and then doesn't work.  Why does it to this?  Who knows... and Windows definitely won't give you any hints here.

> The radius server certificate would seem to be trusted. Does anyone
> know what I might be missing?

  Maybe it doesn't like short-lived certificates?

> ldap/eap configuration taken from
> https://github.com/hacor/unifi-freeradius-ldap, and I substituted in
> the ssl certificates. (Could the problem originate here?)

  Maybe, but likely not.

  As an aside, I'm not sure why these third-party documentation is needed.  The server comes with *extensive* documentation on getting EAP and LDAP to work.  Just follow the comments, do some simple tests, and it should be quick.

> The only thing missing is MTU/packet fragmentation, but I'm under the
> impression that's not happening -- or hoping. My network is just APs
> connected to a switch which routes to FreeRADIUS. FreeRADIUS then uses
> Google LDAP for authentication as EAP-TTLS/PAP.

  The only option here is to get some more logs from Windows as to *why* it doesn't like the certificate.  No amount of poking FreeRADIUS will get you that information.

  Alan DeKok.

More information about the Freeradius-Users mailing list