windows users having trouble authenticating

Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Tue Aug 3 17:59:47 CEST 2010


Alan:

Thank you for your response, I think I finally know what is going on.  I
need to get a real cert from my FreeRADIUS Server, any sugestions about
which vendor, IE Verisign vs thawte vs ?

I was under the impression that the clients was sending a cert to the
server and the server was rejecting it, instead it seems that the
clients are rejecting the server.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 03, 2010 1:47 AM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

Sallee, Stephen (Jake) wrote:
> I am still getting this error in my debug output:
> 
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
> alert unknown ca
> 
> I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy!

  No amount of upgrading FreeRADIUS will make it work.

  This message comes because (a) the supplicant has a client certificate
issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling
FreeRADIUS that the servers CA is unknown to the client.

> PLEASE someone tell me how to make FreeRADIUS automatically accept the

> client cert.

  PEAP doesn't work like that.  If you issued client certs, then
FreeRADIUS *MUST* be configured to know about the CA.

>  I have about 2 thousand clients that are not owned by my university, 
> I cannot install the server cert on all of them, the logistics are too

> much.  PLEASE HELP!

  We're trying.  We're asking you to listen to our responses.

  PEAP (or any TLS based EAP method) *cannot* do what you ask.  It's
impossible, and it was designed to be impossible by the people who
created the cryptography algorithms.

  If you want to have it work, then (a) configure FreeRADIUS to know
about the CA that issued the client cert, or (b) put the FreeRADIUS
cert/CA on a web site, for the clients to download themselves.

  I understand what you want, but please understand that there are
limitations to the protocols *independent* of FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list