[RADIATOR] Problem in EAP-TLS for user authentication in Windows 8.1
samikk at open.com.au
Thu Oct 24 06:57:38 CDT 2013
One of our customers reported that EAP-TLS user authentication doesn't
work with Windows 8.1 against Radiator.
We investigated this further and there seems to be a problem with
Windows 8.1 EAP-TLS client and how it validates server certificates.
The problem is seen with NPS too. Windows 8.1 EAP-TLS doesn't work
against Microsoft NPS if you have validate server certificate option
enabled in Windows 8.1.
There are (at least) two options for workaround:
1. Easiest but unsecure option is to disable server certificate check in
2. The bug doesn't affect EAP-PEAP. So you can configure Windows 8.1 to
use PEAP with EAP-TLS as inner authentication protocol. In that
configuration you can enable server certificate check in PEAP
configuration. You must disable server certificate check in inner
EAP-TLS configuration in Windows 8.1.
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
More information about the radiator