> I don't think that I'm using the supplicant but I could > be wrong.
The supplicant is the software on the client device that manages wireless profiles/connections. If Windows controls the wireless connections (Wireless Zero Config service) then you are using the Windows supplicant. > I'm running FreeRadius 2.1.7-7.e15 ( I believe this is the > latest) with freeradius2-krb5-2.1.7-7.e15 and freeradius2- > utils-2.1.7-7.e15. 2.1.7 is old! 2.1.11 is the latest version of FreeRADIUS.. > I'm pretty sure I'm using PEAP. This would be obvious in the wireless settings on the device. > I realize that and I'm going to work on using our wild > card cert to better secure this. However the question > still arises on will our SSL cert validate properly on a > Windows system. When I initially set this up I never saw > anything regarding and 802.11x config. After updating I seem > to remember seeing this config file mentioned. Windows clients require that certain extensions be present in the certificate (you can thank Microsoft for that - it's not a FreeRADIUS issue). If most of the machines are not joined to your domain and are personal devices and you want easy access, you'll want to use a certificate signed by a CA that's in the Windows root CA list. Just be aware that this is not as secure as an internal or self-signed cert. because any certificate from the CA you choose would be accepted (even if it's from someone else's RADIUS server); but, the alternative is that you would need to distribute the CA's cert to each user that wants to connect. I can't answer your question regarding whether your SSL cert will validate properly on Windows because you haven't said how it was generated? Is it self-signed? Is it signed by a CA that's in the root CA list of a device you were using to test? Does it include the required Windows extensions? There have been considerable discussion on the mailing list regarding the creation of certs that will work with Windows clients. Google is your friend (along with the doc inside the FR files). > Like I mentioned above not all, actually few machines, are > managed via our AD server. I would love to change this but it > would require far more administrative changes that I'm unable > to make. Makes sense.. > Like I mentioned our Windows versions vary from XP to 7. I thought, but can't verify right now, that starting with Vista, Windows will connect using PEAP without manual wireless configuration (i.e., it doesn't assume TLS as a default the way XP does). Perhaps your only issue with Vista/7 is that the cert doesn't have the required extensions or isn't signed by a CA that's in the root CA list of the device? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
