802.1x on Active Directory: no errors in debug but auth fails
John Dennis
jdennis at redhat.com
Tue Feb 8 15:11:12 CET 2011
On 02/08/2011 06:16 AM, Domenico Viggiani wrote:
> Thanks but I think that recent versions of Freeradius contains a certs
> generation script that provide "test" certificates with all OIDs needed.
> Or am I wrong?
>
> I'm currently still unable to authenticate a XP SP3 client to FR by Active
> Directory.
I think the OP said they were using a RHEL 5 or CentOS 5 package, if so
there are two things you might want to check. We had bugs opened saying
the default cert configuration was too weak and the following two
adjustments were made.
The validity period was reduced from 1 year to 60 days. The certs
created during installation are meant for testing and since they are
created silently it was felt a naive admin might not realize they've got
certs useful for authentication sitting around. The idea is the certs
will get you over the hump of testing your installation but for
deployment you need to go back and regenerate them for actual deployment.
So make sure the certs are still within they're validity period.
Secondly the default digest was changed from md5 to sha1. The is a
change also present in current OpenSSL releases. md5 is known to be
weak. The generated certs were tested but only with Linux to Linux but
not with Windows. In theory Windows shouldn't have a problem with sha1
digests in certs, but Windows seems to be very finicky when it comes to
x509.
So you might want to set default_md in the /etc/raddb/*.cnf files back
to md5 and see if that's affecting anything.
Hope that helps,
John
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list