client certs

[Craig White]

On Wed, 2008-12-10 at 21:36 -0500, Jason Wittlin-Cohen wrote:
> Craig,
> 
> Have you tried authenticating with the same certificate from a
> different computer, or using a different supplicant? The XP supplicant
> is pretty awful. If you have an Intel card, you can download the Intel
> PROset software for free which has more features than XP's supplicant,
> supports more authentication options, and tends to work better. My
> personal favorite is Juniper's Open Access client. Juniper has a
> 30-day trial if you want to test to see if that solves your problems.
----
yes, this laptop has Intel ProSet and I've been using that but with this
latest round of certs, I've been unable get from Laptop to Radius, even
with Intel ProSet.  ;-(
----
> In addition, I find that if the sever is down while a client tries to
> connect, I have to refresh the settings on the AP, restarting the
> wireless, or the RADIUS server will show no activity at all.
> Restarting Windows or repairing the wireless connection doesn't help
> as it appears to be an issue with the AP. So, if you had the the
> RADIUS server down for even a short while, try restarting the AP.
----
I did that about an hour ago but it never hurts and I'll do that when I
start my next go 'round after dinner
----
> You can also see if there's a valid certificate chain. Start > Run
> "mmc". File > "Add Snap-In". Add "Certificates". Choose "My User". You
> should see a "Certificates - Current User" tree. Expand it, then open
> Personal > Certificates. You should see your certificate in the list.
> Double click the certificate and check the "Certificate Path" tab.
> Certificate Status should be "OK", and you should see both your client
> cert and the CA.
----
there is and I've been checking that very thing all along - looks good
-----
> If your certificate was signed by the server key and not the CA key,
> certificate verification will fail.
----
check
----
> Also, run freeradius with "freeradius -X" to check to see whether
> Windows is even communicating with the RADIUS server. I was having
> problems with my Ubuntu laptop and found it was timing out before even
> attempting to authenticate with the RADIUS server due to a driver
> issue.
----
that's what I was referring to 'debug' mode

I have enough hours logged in Radius configuration (first 1.1.2 and now
2.1.1) to know where all the bodies are buried and have googled and
looked at the wiki.freeradius.org till I'm blind.

Macintosh and iPhone's were easy because they just ask you to accept
certificate(s) presented by server.

Windows RRAS authentication against Radius server was simple.

LDAP authentication seemed to be easy

WinXP laptops - argh...

Craig