EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside

[Krämer Armin]

Hi, 

first i wanna say thanks to all here fort he great helping setting up my
radius as an part of my work at my Engineers-Exam work. 

Yesterday I finished my work and found my 2 Mistakes why computer
authentication didn’t wor properly at my network and now I wanna share this
for you all here,knowing some of you are having still the same problems:

First only the problem with machine authentication and after I passed my
exams at 15.Juli I will post here an link to my whole Dokumentation
describing how to set up my whole project including the following:

An CA created with TinnyCA as frontend for openssl, freeradius @debian
stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules,
VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing
firstly an Machine Authentication(*tricky but possible*) pulled into and
basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and
VLAN, then Users can log onto the domain, getting their final
User-Certifikate, thrown into their final working vlan and getting the final
Subnet from the DHCP. This workes now great put firstly only the main
problem, the machine certificates. 

What you hav e to do if you create it with TinyCA to get working
Certifikates for machine Authentication in a short sequenze and where are
the problems I figured out. 

OK setting up TinyCA is easy and the binding to freeradius is describeld
here a lot. 

The final Steps are the following especially for Windows: 

Under Openssl-Configuration in TinyCA  put the OID  1.3.6.1.5.5.7.3.1 at the
ServerCertifikate into ExtendedKey usage, and the 1.3.6.1.5.5.7.3.2 into
Client Certifikate Extended Key Usage. 

This is basically and essential for successful authentication but not all.

For machine authentication create an client Certifikate and now the real
important things. 
1.	The CN Name has to match with the local Computer name only or as an
	full qualified name of the computer,both is possible. 
2. 	The Email field MUST!!!! Be filled in the full qualified Computer
name 
	like workstatio1.exampledomain.de

This entry is important for machine authentication because Windows XP
searches for the field subjectAltName to find the certificate in the
computer store. If this issent present authentication failes first time and
after the internal counter of xp expire the second autjentication is
successful(why??) But ok, add this and all is fine. 
In the openssl.cnf of TinnyCA you can see that the Email field is copied to
the field subjectAltName. I will write a letter to the developer of TinnyCA
if he could make a separate field for this....

Export the certificate as PKS12 an check include certificate and fingerprint
(if fingerprint is important I will figure out later and tell you,haven’t
found time checking this) but the Key must be included. 

And the last thing is that you have to import the computercertifikate not
per doubleclick (In this case the certificated is stored at the CurrentUser
Store and you have to copy it over mmc to the computer store, but this
doesn’t work, the certificate isn’t correctly found if you do this that
way!!!!!) 
Best ist to open mmc,doing a snap in of LocalComputer and the go to "Eigene
Certifikate, right click onto it,All Tasks,import" then import the
certificate and now you have the ca.certifikate and your computer
certificate in the Store, now you have finaly to move the ca Certifikate
into the root CertifikateStore under your ComputerAccountStore.


That’s all at the mmc. 

Then go to the preferences of your network connection, Authentifikation tab,
EAP-Tpye Propperties and at the list you have to check "Check
Servercertifikate" uncheck Connect to this Server(this is optional) and at
the list check your CA. 
If you also have a User Certifikate installed you will find there your CA 2
times. It is not important which you select, one should be enough. 

Finaly I can say what was here discussed you don’t have to set another OID
which is discussed here at one thread and you only have to change your
registry if you have special requiremens to the authentication behaviors.
The Basic setting of registry seams to be enough. I added the SupplicantMode
DWORD with a value of 3 but this only seams to get start authentication
faster than without but is not essential for basic setup. 

OK this is only an small dirty description for the first time, a better one
will follow soon. But I thought many of you struggling over this and it
would be good posting this fast. Sorry for typing mistakes, may someone will
correct this :-)

@Alan: Is their an interest posting my doku to the wiki, I can send the
final document to you!

Greetings and good luck 


Armin