WPA authentication works only with MacOS clients

Jason Wittlin-Cohen jasonwc at brandeis.edu
Tue Oct 17 06:49:25 CEST 2006


Message: 5
Date: Mon, 16 Oct 2006 22:36:14 +0200
From: "Josh Shamir" <josh.shamir at gmail.com>
Subject: Re: WPA authentication works only with MacOS clients
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<8b3d60af0610161336k20473a1cw4410cbaa6eda17c7 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

"Hi Jason,
I want to use PEAP.
So I can use PEAP on a WinXP SP2 client without any other supplicant, using
his native supplicant.
The problem is that with native WinXP supplicant the authentication process
failed, and freeradius server give me an error regarding certificates.
The strange thing is that with the same certificates, PEAP works fine with
MacOSx.

Could be a problem of certificates ?
I generate certificates with CA.all.
Any ideas about how generate certificates that works also with MS WixXP
client?"

This is a common problem. Windows XP requires that the server and client certificates have specific attributes. This is useful as it prevents a main-in-the-middle attack where an authentic client masquerades as a server with his client cert.

You need to use Microsoft's Extended Attributes:

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

See http://www.linuxjournal.com/node/8095/print for detailed instructions how to create a server certificate that will work with PEAP and MS clients. The HOWTO is for EAP-TLS which requires client and server certificates. Since you are using PEAP, you just need to create the server certificate. Good luck. 

In particular you'll want to do:

openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf

openssl ca -config ./openssl.cnf \
-policy policy_anything -out server_cert.pem \
-extensions xpserver_ext -extfile ./xpextensions \
-infiles ./server_req.pem

You'll now have server_cert.pem (Public Certificate) and server_key.pem (Private Key which has no password). The public certificate will have the Server extended key usage extensions set and now your XP client should authenticate. 








-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061017/6da4668a/attachment.pgp>


More information about the Freeradius-Users mailing list