EAP-TTLS works for MacOS supplicants but not Win10
Evan Sharp
evan.sharp at coastmountainacademy.ca
Thu Sep 17 00:56:19 CEST 2020
Hi Allan, Matthew, et al.
> So if OSX and Chrome "just work", then it's because someone is
configuring it.
All respect guys, but these are dozens of K-12 student-owned BYODs. They
haven't received any configuration and they all work out of the gate as
operated by a 12 year old. I don't need to be right, but I don't know
enough about what I've configured to understand how it is working; do you
have any other ideas?
It makes sense to me that Win10 is being finicky about a cert, but since
installing one on these student-owned machines is something I want to
avoid, I want to get to the bottom of OSX's success in case it's replicable.
> "it just stops".
> 99% of the time it's a certificate issue.
Did you look at the end of my "failed bind" debug? Is that what this looks
like for sure? Is there any additional logging I can get besides `-X`?
Thanks,
Evan
On Tue, Sep 15, 2020 at 6:56 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Sep 15, 2020, at 6:49 PM, Evan Sharp <
> evan.sharp at coastmountainacademy.ca> wrote:
> >> The CA cert used by FreeRADIUS isn't configured on the Windows machine.
> >
> > Does that cert come pre-configured in MacOS and ChromeOS?
>
> No.
>
> > These are BYOD
> > computers so I haven't touched them, but all the Mac clients have been
> > plug-and-play.
>
> Someone poked something.
>
> For the last 3-4 years, OSX will *not* allow users to configure TTLS
> with certificates via the GUI. Instead, it has to be done via a
> mobileconfig file, or provisioning tool.
>
> So if OSX and Chrome "just work", then it's because someone is
> configuring it. They require some kind of configuration changes before
> they "just work".
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list