[OT?] Systemwide authentication on Windows
Lukas Haase
lukashaase at gmx.at
Wed Aug 11 03:23:45 CEST 2010
Hi,
Thank you for your reply!
Am 11.08.2010 02:46, schrieb Alan DeKok:
> Lukas Haase wrote:
>[...]
> This is really a Windows questions.
Yes, I was not sure, that is way I set [OT?]...
>> This can't be true?! there must be a way to connect the whole machine
>> using a certificate (not just the current user) , mustn't it?
>
> There is a way. Windows usually auto-provisions machine certificates
> via Active Directory.
I am not sure if this is really required for EAP-TLS.
After searching for all possible keyworks I think I have found the
correct term: "Machine authentication".
Unfortunately there is really very few information on this issue. I
found some posts on this list but none did help.
Here is one:
http://lists.cistron.nl/pipermail/freeradius-users/2006-May/msg00810.html
I think it has just something to do with the certificates: I need to set
special stuff for a "machine certificate".
Here is what I did:
* Set extendedKeyUsage = 1.3.6.1.5.5.7.3.2
* Set CN to "computername" (also tried "computername.fqdn")
* Set E-Mail address to "computername" (also tried "computername.fqdn")
* Signed with root cert
* Imported this (including the CA root cert) with mmc into the
certificate store for local computer
* Double clicking the certificate seems that everything is correct
But when I want to connect I just get something like "Could not login
onto the network because no certificate found" ("Es wurde kein
Zertifikat gefunden, um Sie am Netzwerk anzumelden").
What else could be missing?
Regards, Luke
More information about the Freeradius-Users
mailing list