Windows Machines not Validating Cert
FreeRAD
yetifreerad at gmail.com
Wed Nov 6 10:39:59 UTC 2024
Hi Alan,
Thank you for the information. I've noticed when authenticating via PEAP
you can force Windows to authenticate the Root CA but EAPTTLS doesn't seem
to have the option.
On Wed, Nov 6, 2024 at 10:24 AM Alan DeKok <aland at deployingradius.com>
wrote:
> On Nov 6, 2024, at 10:20 AM, FreeRAD <yetifreerad at gmail.com> wrote:
> >
> > I'm using EAP-TTLS. When generating the production certs I know it says
> in
> > the readme file that all client machines need to have the root CA
> installed
> > for it to work, but that doesn't seem to be the case in my setup. If I
> > connect from a windows 11 machine I get a notification asking if I am
> happy
> > with the certificate information for the server that I am connecting to,
> > but I haven't got the root CA cert installed on my machine. I then just
> > accept the notification and it allows me to connect. Even after
> installing
> > it nothing really changed.
>
> The certificate chain is sent to the client as part of the TLS
> connection setup. So presumably the Windows machine is caching the cert.
>
> i.e,. if it asks you "is the cert OK", and you say "yes", then that
> causes the cert / root CA to pass. That explains why it works.
>
> > Would this indicate that something is set up wrong with the RADIUS
> server?
>
> No. It indicates that you configured Windows to accept the server cert
> / root CA. So it accepts them.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list