The weird thing is that I didn't see that popup On Wed, Oct 26, 2011 at 5:07 PM, Phil Mayers <p.may...@imperial.ac.uk> wrote: > On 10/26/2011 07:53 PM, Francois Gaudreault wrote: >> >> Correct me if I am wrong, but that should not be needed when you are not >> validating server certificate. > > There are a few issues; let me try to lay them out. > > First: it seems you MUST install the CA on the client (in one or both of the > user or machine store, depending on whether you're doing user or > machine-based auth). Authentication will simply fail if you don't install > the CA - although helpfully Windows does seem to send an "invalid CA" TLS > alert. > > > Second: If (and only if) you install the CA, then when you FIRST connect to > a network, you will be shown the dialog box "The connection attempt could > not be completed". In my testing, if you click "Continue", then windows > will: > > a. Check the "Validate server certificate" > b. Leave the "Connect to these servers" (hostname/CN) blank > c. Check the box next to the CA cert > > That is, windows will "trust on first use" (TOFU) the *specific* CA for that > *specific* connection profile (WLAN SSID or Wired "profile"). > > The text at the link given by the OP is misleading. The issue is not whether > the CA is a "Trusted" CA on the machine/user store as a whole. It's whether > it's trusted for *that specific connection* as a CA for signing the > authentication server cert. > > I'm unsure whether the OP is clicking "Continue" at the prompt and it's > failing, or if he's not clicking "Continue" or not even being presented with > the option - but as I say, in my testing, TOFU works. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html