Windows 10: EAP-TTLS certificate not trusted

Joseph freerad-user-created at optimusride.com
Mon Mar 16 20:44:10 CET 2020


To respond to myself,

I was able to make Google LDAP + FreeRADIUS + PAP authentication on
Windows 10 work by manually creating a connection in Windows. It is
not possible to _edit_ a connection and establish the settings that I
needed.

For this, you'll create a new network connection through the Network
and Sharing center. Create a new Wireless network, with WPA-Enterprise
security. Next. You'll have an option to change the network settings,
so don't Finish, and instead change settings. These options are not
available through any GUI that I've found after the connection is
created.
Specify:
- network authentication security method: Microsoft: EAP-TTLS
- Enable Identity Privacy (checked)
- Connect to these servers:
  - Specify the DNS alt-name of the SSL certificate that you're using
(the one signed by a trusted CA)
- Trusted Root Certification Authorities:
  - Select _only_ the CA root that vouches for the above certificate
- Client authentication: Unencrypted PAP
- Ok ok ok save finish.

I'm not able to do this merely with a certificate that is signed by a
trusted CA -- I specifically have to tell Windows _which_ RADIUS
server to connect to (Connect to these servers). Unsure how/why/if
this differs from an Active Directory domain, as again I'm using
Google LDAP and not AD.

I can then use `netsh` to export the wlan profile and import it on
other machines (and maybe netsh can even change the settings).
Currently I have a script set up to echo the whole wlan profile to a
temp file (echo because when you run as admin it changes from the
script's directory) and import from that temp file, all in one .cmd
script.

Testing suggests Windows stores the user credentials in a local store
for re-connecting to the wireless network, so users only have to log
in once.


Joe


On Wed, Mar 4, 2020 at 2:44 PM Joseph
<freerad-user-created at optimusride.com> wrote:
>
> Hi, I'm trying to get EAP-TTLS set up, but the certificate is always
> asking for verification. This is failing on Windows 10, but tests out
> ok (without complaining) with eapol_test, radtest, and Ubuntu 16.04.
>
> "Continue connecting?
> "If you expect to find your-wifi in this location, go ahead and
> connect. Otherwise, it may be a different network with the same name.
> "Server thumbprint: 21 4B 37 ED  ..."
>
> This matches what I expect. The certificate information, on the radius server:
> $ openssl x509 -in server.pem -noout -text -fingerprint -sha256
>         Issuer: C = FR, ST = Radius, L = Somewhere, O = Example Inc.,
> emailAddress = admin at example.org, CN = Example Certificate Authority
>         Validity
>             Not Before: Mar  4 19:20:40 2020 GMT
>             Not After : May  3 19:20:40 2020 GMT
>         Subject: C = FR, ST = Radius, O = Example Inc., CN =
> radius.internal.mydomain.com
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication
>             X509v3 CRL Distribution Points: <present>
>             X509v3 Subject Alternative Name:
>                 DNS:radius.internal.mydomain.com
> SHA256 Fingerprint=21:4B:37:ED:90:D8:...
>
> This seems to meet the requirements of
> https://wiki.freeradius.org/guide/Certificate_Compatibility (extended
> key usage) and https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
> (CN and SAN defined and the same, not wild card, extended key usage:
> authentication, age). TLS1.2 is enabled and shows to be used (Windows
> 8+ requirement)
>
> The CA certificate is added to Windows, Local computer, Trusted Root
> Certification Authorities:
> Example Certification Authority
> valid from: 3/3/2020 to 5/2/2020
> CN = Example Certificate Authority, E = admin at example.org, O = Example
> Inc., L = Somewhere, S = Radius, C = FR
> Thumbprint: 4758ae7e
>
> Verifying this on the radius server,
> freerad at radius:~/3.0/certs$ openssl verify -verbose -CAfile ca.pem server.pem
> server.pem: OK
> $ openssl x509  -noout -in ca.pem  -fingerprint -sha1
> SHA1 Fingerprint=47:58:AE:7E...
>
> The radius server certificate would seem to be trusted. Does anyone
> know what I might be missing? ldap/eap configuration taken from
> https://github.com/hacor/unifi-freeradius-ldap, and I substituted in
> the ssl certificates. (Could the problem originate here?)
>


More information about the Freeradius-Users mailing list