EAP-TLS host certificates
Alan DeKok
aland at deployingradius.com
Thu Jan 28 14:29:04 CET 2021
On Jan 26, 2021, at 8:30 AM, Vieri Di Paola <vieridipaola at gmail.com> wrote:
> Now, most of my clients are Windows 10 and just a few Windows 7. They
> can access with PEAP mschap-v2 via WiFi.
>
> I am now trying to configure WiFi access with EAP-TLS and host certificates.
>
> Please bear with me as I haven't handled freeradius for years now, and
> I'm a bit rusty.
TBH, the FreeRADIUS side is simple. Make the test certs, and start the server.
> I already have a custom Signing Authority (ca.pem).
> So, within /etc/raddb/certs I ran the following after adjusting the
> corresponding *.cnf files:
>
> # make server.pem
> # make server.csr
> # make inner-server.pem
> # make client.pem
That's good.
> The Windows 10 client has imported both the CA in trusted roots and
> the client certificate in the "local computer" store. I chose the
> common name "PC2036" (see below).
That might work... it depends. Windows has a few certificate stores. If you put the certs into the wrong one, then EAP-TLS won't work.
> The wireless connection is set up with a "smart card or other
> certificate" (computer account).
I'm not sure that will work. You're better off using a user account, and putting the certs into the local cert store for the *user*.
> (132) Sent Access-Challenge Id 67 from 10.215.144.91:1812 to
> 192.168.216.36:58425 length 0
> (132) EAP-Message = 0x018b00060d20
> (132) Message-Authenticator = 0x00000000000000000000000000000000
> (132) State = 0x007a782400f175f114c01cbf42164dc9
> (132) Finished request
> Waking up in 4.9 seconds.
> (132) Cleaning up request packet ID 67 with timestamp +2318
> Ready to process requests
>
>
> I then read this:
> https://wiki.freeradius.org/guide/certificate-compatibility
Exactly.
> So I decided to replace the whole certificate directory just to make
> sure the test certs work.
Huh? The wiki page above doesn't say to replace the whole cert directory. It says to import the certificates into the *correct* certificate store on Windows.
Put the certificates into the correct Windows certificate store. Nothing else will make EAP-TLS work.
Alan DeKok.
More information about the Freeradius-Users
mailing list