EAP-TTLS works for MacOS supplicants but not Win10

Evan Sharp evan.sharp at coastmountainacademy.ca
Thu Sep 17 21:20:19 CEST 2020 

Hi Allan,

Do they connect to your network using credentials you supply?


No. They are using their Google Cloud Identity credentials since freeRADIUS
is binding on Google Secure LDAP.

 So far as I'm aware *all* modern operating systems don't allow the user to
> configure EAP-TTLS or PEAP.  *All* systems refuse to accept even known CAs
> (i.e. web ones), unless the CA is enabled for EAP.


Is it possible that the AP controller is not passing the cert request back
to the supplicant and instead is answering RADIUS with the key I installed?
This would explain how a tunnel is being established without a cert on the
BYOD. Midway in the first passthrough:


   1. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
   the rest of authorize
   2. (0) [eap] = ok


@Alan Buxey, Eduroam is a sledgehammer for my little school. The juice is
not worth the squeeze for me, but thanks for the suggestion.

I do appreciate the ongoing help guys.

Evan

On Wed, Sep 16, 2020 at 5:31 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 16, 2020, at 6:56 PM, Evan Sharp <
> evan.sharp at coastmountainacademy.ca> wrote:
> >
> > Hi Allan, Matthew, et al.
> >
> >> So if OSX and Chrome "just work", then it's because someone is
> > configuring it.
> >
> > All respect guys, but these are dozens of K-12 student-owned BYODs.
>
>   Do they connect to your network using credentials you supply?
>
> https://support.google.com/chrome/a/answer/2634553?hl=en
>
>         • On Chrome OS versions 61–72,  certificates added to an
> organizational unit are available to both network settings and kiosk apps
> on devices. On earlier versions, certificates are only available to the
> network settings on a device.
>
> > They
> > haven't received any configuration and they all work out of the gate as
> > operated by a 12 year old. I don't need to be right, but I don't know
> > enough about what I've configured to understand how it is working; do you
> > have any other ideas?
>
>   So far as I'm aware *all* modern operating systems don't allow the user
> to configure EAP-TTLS or PEAP.  *All* systems refuse to accept even known
> CAs (i.e. web ones), unless the CA is enabled for EAP.
>
>   I suspect what's happening is that they Chrome devices are pulling the
> certificate information from your systems.  So someone, somewhere, set it
> up for your network.
>
> > It makes sense to me that Win10 is being finicky about a cert, but since
> > installing one on these student-owned machines is something I want to
> > avoid, I want to get to the bottom of OSX's success in case it's
> replicable.
> >
> >> "it just stops".
> >> 99% of the time it's a certificate issue.
> >
> > Did you look at the end of my "failed bind" debug?
>
>   Yes... that *is* what I do about 10 times a day.
>
> > Is that what this looks like for sure?
>
>   Yes, I'm not going to change my answer is you ask again.
>
> > Is there any additional logging I can get besides `-X`?
>
>   No amount of additional FreeRADIUS logging will tell you what's going
> wrong with Windows.
>
>   In fact, if the client keeps trying EAP, the debug output will print out
> a huge warning, and point you to a Wiki page.  That page describes exactly
> what's going wrong, and how to fix it.
>
>   Hint: configure Windows correctly.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list