WPA2-Enterprise (EAP-TLS) User Authentication finally works on Windows 10 - how to use Computer Authentication and strip out "host/" in username?
-
That's a Windows question really.
Are you using wifi running in pfSense or external access points?You might be better asking in the off-topic sub to hear from Windows users.
Steve
-
@stephenw10 Running external APs. Very happy going with a used Ruckus AP off eBay and using the license-free Unleashed firmware.
Very true, this question is indeed a Windows config issue unless there's some FreeRADIUS regular expression config I can do to strip off the "/host/Dell Latitude 1234" to make it "Dell Latitude 1234" so the username matches the certificate CN.
Is it possible to move this thread over to off-topic?
-
S stephenw10 moved this topic from Wireless on
-
In case it's clear as mud, maybe some screenshots will help. The certificate I have installed on the laptop has a CN of "Dell Latitude 1234" (with the 1234 being the actual model of the laptop), and the user in FreeRADIUS is also "Dell Latitude 1234," so when I log into the laptop, it automatically connects to the WLAN. This is User-based authentication in Windows 10.
The original issue I got was Windows 10 would pre-pend "host/" to the username, making it "host/Dell Latitude 1234" which wouldn't match the certificate CN, so FreeRADIUS on pfSense would reject the authentication attempt.
I found a solution though:
Checking that box then prompts me to type in a username when connecting to the WLAN network:
So in that dialog box, I simply type in "Dell Latitude 1234" and it remembers this setting forever, even across reboots. No more "host/Dell Latitude 1234" mismatches. WiFi works.
But it only works when I'm signed in. (This is User based authentication.) What I'd like is for Computer Authentication to also work so that WiFi automatically connects upon boot (which helps with things like RDP into the laptop), but there's no workaround to get rid of the pesky way Windows automatically prepends "host/" to the username. Still get the original error in FreeRADIUS:
-
Is there anywhere on the Web I can ask to get solutions to this? I can't for the life of me figure out where to ask or what to search for. Surely I can't be the only one here trying to get WPA3-Enterprise working on a Windows laptop. (The WPA2-Enterprise in the thread title is a compromise, but it's a separate issue trying to get WPA3-Enterprise to work, and I made a thread in the Ruckus Unleashed forums, which is also not getting any replies.)
Frustration all around.
My end goals are:
- WPA3-Enterprise (EAP-TLS) working on Windows 10 laptop and my phones instead of just WPA2-Enterprise.
- On the Windows laptop, I'd like for WiFi to connect before I log in. This helps with e.g. if I want to RDP to the laptop from my desktop PC to do maintenance.
-
@finger79 don't know if pfSense allows this , but freeradius has a scripting language called unlang which could possible deal with your issue for the
host/part
https://freeradius.org/radiusd/man/unlang.htmlhaven't used EAP-TLS myself , but would it possible to add a SAN to your certificate having
host/Dell ...as an alternative subject name ? -
@aduzsardi said in WPA2-Enterprise (EAP-TLS) User Authentication finally works on Windows 10 - how to use Computer Authentication and strip out "host/" in username?:
@finger79 don't know if pfSense allows this , but freeradius has a scripting language called unlang which could possible deal with your issue for the
host/part
https://freeradius.org/radiusd/man/unlang.htmlhaven't used EAP-TLS myself , but would it possible to add a SAN to your certificate having
host/Dell ...as an alternative subject name ?Thanks, that's a possible lead. I'll look into it.
Edit: Oof, I wish there were some easy examples. I just need a regular expression that's like:
"If you see a username that contains "host/foo" strip it out and only return foo for the username." I have no earthly idea where to insert this code in FreeRADIUS too. Surely there's some unlang experts on this forum.
-
@finger79 this might help https://lists.freeradius.org/pipermail/freeradius-users/2011-March/052744.html
-
Did you ever sort this one? I'm having the same issue
-
@jamesg246 said in WPA2-Enterprise (EAP-TLS) User Authentication finally works on Windows 10 - how to use Computer Authentication and strip out "host/" in username?:
Did you ever sort this one? I'm having the same issue
Nah, I put it on hold. Only User Authentication works so far in Windows 10, so WiFi only connects after I log in. It makes attempts to connect to WiFi before login via the Computer Authentication (since I have both checked), but it still prepends "host/" before the certificate Username and the FreeRADIUS implementation in pfSense rejects it.
-
@Finger79 I have this working with Computer authentication, but only with the Check Client Certificate CN option disabled in EAP settings. If I enable this, it stops working.
As you've said the authentication requests come as "host/CN" - I've added "host/CN" to the users table and this allows the device to pickup the vlan setting etc. At the moment I'm using the revoke lists to get around having Check Client Certificate CN disabled.
It looks like the following needs to be added to the hints file and using the pre-process module
DEFAULT Prefix == "/host", Strip-User-Name = Yes
DEFAULT Suffix == ".server.domain.com", Strip-User-Name = YesIn my case I don't need to add the suffix but I've no idea where to start with adding those attributes to the pfsense freeradius server.
-
@jamesg246 said in WPA2-Enterprise (EAP-TLS) User Authentication finally works on Windows 10 - how to use Computer Authentication and strip out "host/" in username?:
@Finger79 I have this working with Computer authentication, but only with the Check Client Certificate CN option disabled in EAP settings. If I enable this, it stops working.
That's interesting. The "Check Client Certificate CN" option in EAP settings doesn't seem to do anything to me. Thread here with the Redmine bug report linked: Longstanding FreeRADIUS EAP-TLS security bug on validating client certificate common name
In other words, even with "Check Client CN" enabled, I can completely delete the FreeRADIUS Users table and clients can still connect. Strange behavior.