[RADIATOR] Problem in EAP-TLS for user authentication in Windows 8.1
Sami Keski-Kasari
samikk at open.com.au
Thu Oct 24 06:57:38 CDT 2013
Hello,
One of our customers reported that EAP-TLS user authentication doesn't
work with Windows 8.1 against Radiator.
We investigated this further and there seems to be a problem with
Windows 8.1 EAP-TLS client and how it validates server certificates.
The problem is seen with NPS too. Windows 8.1 EAP-TLS doesn't work
against Microsoft NPS if you have validate server certificate option
enabled in Windows 8.1.
There are (at least) two options for workaround:
1. Easiest but unsecure option is to disable server certificate check in
Windows 8.1.
2. The bug doesn't affect EAP-PEAP. So you can configure Windows 8.1 to
use PEAP with EAP-TLS as inner authentication protocol. In that
configuration you can enable server certificate check in PEAP
configuration. You must disable server certificate check in inner
EAP-TLS configuration in Windows 8.1.
Best Regards,
Sami
--
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list