Intermediate root CA issue

Matthew Newton mcn4 at leicester.ac.uk
Thu Feb 23 01:33:46 CET 2012


On Wed, Feb 22, 2012 at 04:11:00PM -0600, John Dunning wrote:
> devices.  With Windows 7 (SP1) we're fine as long as we leave
> "validate server certificate" unchecked.  As soon as we enable

So your general server config is good.

> (1.3.6.1.5.5.7.3.1) Extended Key usage.  The cert listed in the
> "certificate_file" entry in /etc/freeradius/eap.conf contains,
> is the catted contents of the wildcart cert, the intermediate

Don't know if Windows will handle a wildcard cert here.

> cert, and the root CA (which, in theory, since Windows 7
> includes this shouldn't be needed?), all in one file.  

Try putting just the server cert in that file, and importing the
intermediate cert into the Windows store.

I hit similar the other week (although PEAP/EAP-TLS and not a
wildcart cert). Windows wouldn't play ball unless it already had
the intermediate, even though FR was sending it over.

As I was in the middle of moving from test to production at the
time and it wouldn't actually matter to me in the final config, I
put it down to 'one of those many stupid things Microsoft doesn't
do very well', and moved on.

So there may have been a way to fix it and I might have thought
bad of Microsoft unnecessarily (doesn't often happen), but I
didn't play to find out. But if importing the intermediate makes
it work, that might help point you in the right direction.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>



More information about the Freeradius-Users mailing list