EAP-TTLS works for MacOS supplicants but not Win10

Evan Sharp evan.sharp at coastmountainacademy.ca
Thu Sep 17 00:56:19 CEST 2020

Hi Allan, Matthew, et al.

> So if OSX and Chrome "just work", then it's because someone is
configuring it.

All respect guys, but these are dozens of K-12 student-owned BYODs. They
haven't received any configuration and they all work out of the gate as
operated by a 12 year old. I don't need to be right, but I don't know
enough about what I've configured to understand how it is working; do you
have any other ideas?

It makes sense to me that Win10 is being finicky about a cert, but since
installing one on these student-owned machines is something I want to
avoid, I want to get to the bottom of OSX's success in case it's replicable.

> "it just stops".
> 99% of the time it's a certificate issue.

Did you look at the end of my "failed bind" debug? Is that what this looks
like for sure? Is there any additional logging I can get besides `-X`?


On Tue, Sep 15, 2020 at 6:56 PM Alan DeKok <aland at deployingradius.com>

> On Sep 15, 2020, at 6:49 PM, Evan Sharp <
> evan.sharp at coastmountainacademy.ca> wrote:
> >> The CA cert used by FreeRADIUS isn't configured on the Windows machine.
> >
> > Does that cert come pre-configured in MacOS and ChromeOS?
>   No.
> > These are BYOD
> > computers so I haven't touched them, but all the Mac clients have been
> > plug-and-play.
>   Someone poked something.
>   For the last 3-4 years, OSX will *not* allow users to configure TTLS
> with certificates via the GUI.  Instead, it has to be done via a
> mobileconfig file, or provisioning tool.
>   So if OSX and Chrome "just work", then it's because someone is
> configuring it.  They require some kind of configuration changes before
> they "just work".
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list