PEAP certificates, signing requirements and examples

Eshun Benjamin bkeshun at yahoo.fr
Tue Jul 10 11:41:59 CEST 2007 

I have read and used the make_cert_command = "${certdir}/bootstrap"; its excellent tool but it only creates 
 clientAuth and serverAuth and does not add PEAP which ofcourse one can add by himself.  Eventhough freeradius will authenticate some supplicants will require users to first time save the cert. Windows supplicants the oids :  xpclient_ext and xpserver_ext  and on MAC supplicants ? ; it usually pops up message "the server certificate is not trusted because there no explicit trust settings" - this seem to require the setting of eap oid. The question is what is the difference between web server and radius server certificates with respect to ssl and wireless in the context of EAP, PEAP. Does it matter if the cn is the SSID of the wireless network for radius server auth and server domain name for webserver auth?

[ PEAP ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

[
 clientAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ serverAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
 
================================================== 
Benjamin K. Eshun

----- Message d'origine ----
De : Alan DeKok <aland at deployingradius.com>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Envoyé le : Lundi, 9 Juillet 2007, 18h12mn 28s
Objet : Re: PEAP certificates, signing requirements and examples

Eshun Benjamin wrote:
> Hi All,
> I came across this infomation and tought it would be nice to drop it
> here. Eventhough it is ssl issue it has to do with PEAP. Just to
> discuss; any comments.

  This is documented in eap.conf, among other places.  It's on the Wiki,
in the script files that create the test certificates for the server, etc.

  In 2.0, a brand-new install of the server will automatically create
test certificates with the right OID's for Windows.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html








      _____________________________________________________________________________ 
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070710/062829db/attachment.html>

More information about the Freeradius-Users mailing list