EAP doest work with Cisco Catalyst 2950?
Thai Duong
thaidn at yahoo.com
Tue Jul 25 18:54:51 CEST 2006
Hi Alan,
--- Alan DeKok <aland at nitros9.org> wrote:
>
> That is exactly what happens when the certificate
> doesn't have the
> proper OID's.
>
> Alan DeKok.
I can be sure the client certificate has the Enhanced
Key Usage showing Client Authentication
(1.3.6.1.5.5.7.3.2). I have no way to verify whether
the server certificate contains proper OID but here is
the procedure I generate that certificate:
1. I created a file named xpextensions with the
following content:
thaidn at inspiron:/etc/ssl$ cat xpextensions
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
2. Create the server signing request:
thaidn at inspiron:/etc/ssl$ openssl req -new -nodes
-keyout server_key.pem -out server_req.pem -days 730
-config ./openssl.cnf
then sign it:
thaidn at inspiron:/etc/ssl$ openssl ca -config
./openssl.cnf \
-policy policy_anything -out server_cert.pem \
-extensions xpserver_ext -extfile ./xpextensions \
-infiles ./server_req.pem
3. Open the signed certificate and delete everything
before the line -----BEGIN CERTIFICATE-----.
Concatenate it and the key file into a single file
thaidn at inspiron:/etc/ssl$ cat server_key.pem
server.cert.pem > \
server_keycert.pem
The 3rd step is an extra step that the guide
(http://www.linuxjournal.com/node/8095/print) told me
to do.
Is it correct? I doubt maybe the problem remains in
the OpenSSL library bunlded with Ubuntu 6.06. Do you
think so? Please advise.
TIA,
Thai Duong
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Freeradius-Users
mailing list