Problems using EAP-TLS with freeradius version 2
Stefan Puch
s.puch at web.de
Thu Jan 31 17:05:35 CET 2008
Hello again,
@Alan DeKok
> But I would first suggest trying to use the test certificates that come with
> 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that
> there is something special about the certificates you're using.
I tried to generate some test certificates using the README file provided in the
source-code under "freeradius-server-2.0.1/raddb/certs/"
Therefore the Makefile is used in the same directory. I'm not really sure, but
in Line 93 where the "client.pem" is created it must be
-passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER)
Most of the time you will not recognize, because in server.cnf and client.cnf
all the passwords are set to "whatever" so they are identical, but when you set
them, you will get an error (like me).
It would also be helpful to integrate the following command into the ca section,
when generating a self-signed CA certificate, because using Windows you need the
CA in DER-format:
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
This evening I will try to test if this certificates are working.
@Reimer Karlsen-Masur
> We know of problems with EE certificates in PDAs containing the
> "non-repudiation" flag.
> Additionally Windows build-in supplicants don't like EE certificates with
> the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2)
> when doing EAP-TLS.
> Apparently the latter issue can also be solved by just disabling the valid
> certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted
> usages properties on the system.
I'm not sure if understand correctly what you want to say to me (I'm stupid :-))
First I've used TinyCA to generate my certificates, now I will try the Makefile
provided in the source-code of freeradius. I think the extendedKeyUsage
"Microsoft Smartcard Logon" should not be set in both variants. Or do you mean
that the extendedKeyUsage "Microsoft Smartcard Logon" must be disabled on the PDA?
Best regards and thanks in advance
Stefan Puch
More information about the Freeradius-Users
mailing list