Everything lookslike it works, but PC is not authentified

Mon Sep 4 14:00:06 CEST 2006

Hi,

> I can't even remotely unstand why you seem to look for help on one
> hand, but on the other one keep declining answers to questions put to
> you and insisting on false assumptions.

That's why I might not understand what you're asking. :-)

>> --> verify error:num=9:certificate is not yet valid
>>    rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate
>> TLS Alert write:fatal:bad certificate

I fixed that problem. The time on the certificate issueing server, the 
radius server and the client was different. So the cert wasn't valid, 
because the create-time was in the future. I've put all now in my 
NTP-server.

The "check_cert_cn" was a test to check if the username has something to 
do the failing certs and is disabled now again. I found, if the certs 
are valid, the username is not important. I used the OIDs mentionend in 
the HowTOs, not Alans.

> And while it doesn't cause any problem for now, would you please get
> rid of the "host/vinfo-t1" and "vinfo-t1" stanzas in your users file

The idea of that was to control the logon of already authorized clients, 
i.e. to not accept a client with a valid cert. This could be done more 
elegant with the CRL of SSL, but for now it's easier to maintain in the 
users file. Of course passwords are useless if nothing like PEAP is done 
(this entry was for testing).

I conclude, it works now with W2K SP4. The main problem were different 
times on all participating computers. If confs and certs are done 
according to the ealier mentioned HowTo it'll work. Although the setting 
of the users file still stays unclear for me, because I don't know how 
to handle the acceptance of the clients, if the client can not be 
described via AuthType in the users file. Maybe somebody could enlighten me.

I still have to check, if I really need the registry hack ( Set the 
"HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters
\General\Global\AuthMode" value to '2) mentioned by Thibault LeMeur 
earlier on the list.

Next I'll try to check the clients name against our LDAP-Database (for 
the samba domain) in the users file to allow only these clients, which 
are in our domain.

Thanks for help
Alex

-- 
ServiceCenter IT - Alexandros Gougousoudis (Leiter)

Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule 
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst 
Busch".

Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445