EAP-TLS Machine Authentication problems

tnt at kalik.co.yu tnt at kalik.co.yu
Fri Jan 18 12:11:44 CET 2008 

machine:     TLS_accept:error in SSLv3 read client certificate A
user:    (other): SSL negotiation finished successfully

There doesn't seem to be a machine certificate in the certificate store.

Ivan Kalik
Kalik Informatika ISP



Dana 18/1/2008, "Michael Olson" <olson at irinim.net> piše:

>I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine
>authentication. I set up FreeRADIUS following the guide at
>http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using
>OpenSSL to generate the cetificates.
>
>I can authenticate using user certificates fine, so I'm pretty sure all the
>Certificates & CA setup is right on the RADIUS server certificate, User
>certificate, and the Root Certificate. That leaves the Computer Certificate.
>
>I generated the computer certificate to have the common name be the machine
>name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName
>field as well. It has the same usage extensions as the User certificates.
>(TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to
>Computer Only (2), and it trys to authenticate which suggests that the
>workstation is okay with the certificate.
>
>Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt
>
>Other than that I can't think of where to look for a problem. Comparing logs
>between user and computer authentication I can see where it starts differing
>but I can't find anything I can interpret as to why. Nothing seems to fail for
>the computer, it just cycles endlessly.
>
>Successful User Authentication Log:
>    http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
>
>Failed Computer Authentication Log:
>    http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
>
>I also tossed out the windows tracing logs for both user and computer auth
>    and anything else that seemed useful in
>    http://www.cs.odu.edu/~olson/eap/
>
>Can anybody give me a pointer on where to look for problems?
>
>Thanks
>
>-- Mike Olson
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list