What kind of error in client-cert using EAP?

Alexandros Gougousoudis gougousoudis at kh-berlin.de
Tue Sep 19 10:22:01 CEST 2006


Hello Alan,

Alan DeKok schrieb:
>   No.  It means that there is NO client cert.  The authentication
> process continues, so it's obviously not a catastrophic problem.

Is it simply not sent, or somehow not available? Because I know for sure 
that there is a cert on the client. And I did nothing else, than on the 
other machines where it works since 2 weeks.

Just to make it explicit: I create a user-cert in TinyCA2(linux). I 
export the cert as a p12 and include the key and the CA into that p12 
container. I also disable the passphrase. I put that file on the network 
where the client can find it.

On the client I open the MMC as local admin and include the Snap-In 
Certificates for Local-Computers. Then I import the created cert into 
My-Certificates and copy the CA-Cert into the "trusted certification 
centers" tree (it's in german). It worked for another 2 W2K PCs and for 
four XP-Pro-SP2 PCs.

The APs are Linksys Switches and they do what they should.

>   For PEAP and TTLS, there *is* no client cert.

I use EAP-TLS for machine-authentication (In Windows the "Smartcard or 
Certificate" Authentification).

>> It means also that in my authorize section (Auth-Type := EAP)
>   Can you explain why you're doing this?  All of the server
> documentation, and many posts on this list say it's wrong.

Because if I do only a machine-authentication, every machine which has a 
valid cert can connect to the network.

If I write the explicit hostname in the users file, I have more control 
over the single clients connecting. If they are not in the list, they're 
not allowed to connect, regardless if they have a valid cert or not. I 
think it could be done more elegant using crls, but I'am not yet at this 
point. I try to understand why one PC can connect and the other one can 
not, although I did the same procedure.

Thanks for your help
  Alex


-- 
ServiceCenter IT - Alexandros Gougousoudis (Leiter)

Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule 
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst 
Busch".

Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445



More information about the Freeradius-Users mailing list