Windows Machines not Validating Cert

FreeRAD yetifreerad at gmail.com
Wed Nov 6 11:42:41 UTC 2024 

Hi Alan,

Just one other quick thing, I've noticed that I can see an EAP-Message
Attribute in my 'Access-Accept' message back from the server but I was
under the impression that the below config in the inner-tunnel config file
should stop this. Especially given that it stops me seeing any of the other
attributes (apart from User-Name but that was purposefully left in for
account purposes).













*update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message
!* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key
!* ANY Tunnel-Type !* ANY Tunnel-Medium-Type !* ANY Tunnel-Private-Group-Id
!* ANY }*

On Wed, Nov 6, 2024 at 10:39 AM FreeRAD <yetifreerad at gmail.com> wrote:

> Hi Alan,
>
> Thank you for the information. I've noticed when authenticating via PEAP
> you can force Windows to authenticate the Root CA but EAPTTLS doesn't seem
> to have the option.
>
> On Wed, Nov 6, 2024 at 10:24 AM Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Nov 6, 2024, at 10:20 AM, FreeRAD <yetifreerad at gmail.com> wrote:
>> >
>> > I'm using EAP-TTLS. When generating the production certs I know it says
>> in
>> > the readme file that all client machines need to have the root CA
>> installed
>> > for it to work, but that doesn't seem to be the case in my setup. If I
>> > connect from a windows 11 machine I get a notification asking if I am
>> happy
>> > with the certificate information for the server that I am connecting to,
>> > but I haven't got the root CA cert installed on my machine. I then just
>> > accept the notification and it allows me to connect. Even after
>> installing
>> > it nothing really changed.
>>
>>   The certificate chain is sent to the client as part of the TLS
>> connection setup.  So presumably the Windows machine is caching the cert.
>>
>>   i.e,. if it asks you "is the cert OK", and you say "yes", then that
>> causes the cert / root CA to pass.  That explains why it works.
>>
>> > Would this indicate that something is set up wrong with the RADIUS
>> server?
>>
>>   No.  It indicates that you configured Windows to accept the server cert
>> / root CA.  So it accepts them.
>>
>>   Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>

More information about the Freeradius-Users mailing list