EAP-TLS host certificates

Alan DeKok aland at deployingradius.com
Thu Jan 28 14:29:04 CET 2021

On Jan 26, 2021, at 8:30 AM, Vieri Di Paola <vieridipaola at gmail.com> wrote:
> Now, most of my clients are Windows 10 and just a few Windows 7. They
> can access with PEAP mschap-v2 via WiFi.
> I am now trying to configure WiFi access with EAP-TLS and host certificates.
> Please bear with me as I haven't handled freeradius for years now, and
> I'm a bit rusty.

  TBH, the FreeRADIUS side is simple.  Make the test certs, and start the server.

> I already have a custom Signing Authority (ca.pem).
> So, within /etc/raddb/certs I ran the following after adjusting the
> corresponding *.cnf files:
> # make server.pem
> # make server.csr
> # make inner-server.pem
> # make client.pem

  That's good.

> The Windows 10 client has imported both the CA in trusted roots and
> the client certificate in the "local computer" store. I chose the
> common name "PC2036" (see below).

  That might work... it depends.  Windows has a few certificate stores.  If you put the certs into the wrong one, then EAP-TLS won't work.

> The wireless connection is set up with a "smart card or other
> certificate" (computer account).

  I'm not sure that will work.  You're better off using a user account, and putting the certs into the local cert store for the *user*.

> (132) Sent Access-Challenge Id 67 from to
> length 0
> (132)   EAP-Message = 0x018b00060d20
> (132)   Message-Authenticator = 0x00000000000000000000000000000000
> (132)   State = 0x007a782400f175f114c01cbf42164dc9
> (132) Finished request
> Waking up in 4.9 seconds.
> (132) Cleaning up request packet ID 67 with timestamp +2318
> Ready to process requests
> I then read this:
> https://wiki.freeradius.org/guide/certificate-compatibility


> So I decided to replace the whole certificate directory just to make
> sure the test certs work.

  Huh?  The wiki page above doesn't say to replace the whole cert directory.  It says to import the certificates into the *correct* certificate store on Windows.

  Put the certificates into the correct Windows certificate store.  Nothing else will make EAP-TLS work.

  Alan DeKok.

More information about the Freeradius-Users mailing list