cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP
revealmapp at yahoo.fr
Fri Jul 25 17:57:40 CEST 2008
> But I think this problem do not affect peap because peap do not use
> client certs, you only need to install ca.der into client machine and
> put the passwords
i refer to that:
> so my question is, if the certificate (with server extension) is
missing on the client, could it interfer in EAP-PEAP authentication
success?
yes.
you need a RADIUS cert with the extensions...and if doing proper
PEAP, you need the CA installed on the client too - with 'validate
server certificate' checked and cross-linked (ie you choose
the correct CA in the list!)
alan
really?? it seems to affect PEAP too when freeradius authenticates against Active Directory.
if i understood well,PEAP authentication need client side a login + password and server side a certificate in order to the authentication process to success!
so, which certificate have i to install on client side?
- i did ever try ca.der with no success! 'after an access-challenge, the request simply stops.
- i am trying sever.crt too, with no more success. i install it in intermediate authority containeer,but it won't be available in the list of the wireless manager of xp.
if you have a suggestion, i am open!
----- Message d'origine ----
De : Sergio <sergioyebenes at alumnos.upm.es>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió:
> HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
> default configuration?
>
> - this bug is suspected to make i can't do EAP-PEAP and affect the CRL
> management too. it's a real problem
>
>
>
> ----- Message d'origine ----
> De : Alan DeKok <aland at deployingradius.com>
> À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
> Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
> problem with eap-tls)
>
> Sergio wrote:
> > But the debug I posted shows that radius doesn't recognize the issuer of
> > client cert using default certs. If default certs works and I don't need
> > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
> > alan?
>
> You need to follow the documentation in eap.conf.
>
> # If CA_file (below) is not used, then the
> # certificate_file below MUST include not
> # only the server certificate, but ALSO all
> # of the CA certificates used to sign the
> # server certificate.
> certificate_file = ${certdir}/server.pem
>
> Have you done that?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------------------------------------------------
> Envoyé avec Yahoo! Mail
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
>
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_____________________________________________________________________________
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080725/c6cf6ec9/attachment.html>
More information about the Freeradius-Users
mailing list