FreeRADIUS EAP-TLS and SSL certificate chains
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 20 13:12:06 CET 2009
Meyers, Dan wrote:
>>> I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which
>> does
>>> not require a client certificate. My understanding however is that
> for
>>> passing of the server certificate to validate our server to the
>> clients
>>> the options with the tls subsection of the eap.conf file are still
>> used.
>> For that you need to export just the intermediate certificate used to
>> sign the server certificate onto the clients. They should have the
> root
>> one already.
>>
>> Import intermediate certificate (.der or .crt version) onto a client.
>> Copy server.crt onto the client desktop and see if Windows recongnized
>> the chain.
>
> Yes, if I import just the intermediate certificate to the client,
> install it, and then try and auth, the chain is picked up correctly (or
> if I just copy across the server cert and check it). But of course the
> reason for this is because the intermediate cert is then directly
> trusted by the client, and the server cert is signed by it.
Dan,
It's unclear to me exactly:
a. what you're expecting to happen
b. what is happening
We have exactly the same setup - verisign root->intermediate->our cert.
What happens with an XP client on our WPA EAP-PEAP network is exactly
the same as documented here:
http://www.albany.edu/its/windows_detailed_document.pdf
...that is, after clicking all the tedious boxes in XP, once connecting
a dialog box pops up as per page 6 of the PDF above. Once clicked, the
user is never prompted again.
As per my email on the DOT1X list the other day, this is (we believe) a
behaviour change from a vanilla windows XP SP2 install i.e. one of the
hotfixes changed something.
Certainly when we tested a vanilla XP SP2 install against our current
cert chain, it worked straight through, but a fully-hotfixed install did
not.
Is this what you're seeing?
More information about the Freeradius-Users
mailing list