EAP-TTLS works for MacOS supplicants but not Win10

Alan DeKok aland at deployingradius.com
Thu Sep 17 21:24:01 CEST 2020

On Sep 17, 2020, at 3:20 PM, Evan Sharp <evan.sharp at coastmountainacademy.ca> wrote:
> No. They are using their Google Cloud Identity credentials since freeRADIUS
> is binding on Google Secure LDAP.

  *Something* is telling the devices to allow your CA.  This does *not* happen automatically.

> Is it possible that the AP controller is not passing the cert request back
> to the supplicant and instead is answering RADIUS with the key I installed?

  I have no idea what that means.  What "key" you installed?

  The AP doesn't do certs, and doesn't know about them.  It just passes packets back and forth between the end-user device, and the RADIUS server.

> This would explain how a tunnel is being established without a cert on the
> BYOD. Midway in the first passthrough:

  The end user device DOES have a certificate configured.

>   1. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
>   the rest of authorize
>   2. (0) [eap] = ok

  That's just the start of the EAP conversation.  It is LONG before any certificate exchange.

  Alan DeKok.

More information about the Freeradius-Users mailing list