EAP-TLS with Client Cert, with Key Usage "EAP over Lan"

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Dec 19 17:28:42 CET 2016


Hi,

> Server: FreeRADIUS Version 2.2.5, for host i586-pc-linux-gnu, built on Oct 24 2014 at 04:18:43

old. upgrade

> My Problem is the usage of the "X509v3 Extendend Key Usage" in the Certificate of the Client.
> If I use at the Client a Certificate with the "X509v3 Extendend Key Usage" : "TLS Web Server Authentication, TLS Web Client Authentication" the 802.1x Authentication with EAP-TLS is running Fine.
> 
> BUT I have the constrain that the Certificate on the Client is without "TLS Web Client Authentication" because there running absolute no Client Applications, the Device is running only some Server Applications.
> 
> So I tried to Use on the Client a Certificate with the "X509v3 Extendend Key Usage" : "TLS Web Server Authentication, EAP over Lan". But unfortunately the 802.1x Authentication with EAP-TLS did not work.
>

latest version of FR also has latest scripts and various other things to ensure best client compatibility

> My Question is know which "X509v3 Extended Key Usage" are mandatory for the Certificate on the Device?

as per the provided scripts. all very well tested with fixes and feedback given to project

> And why is it not enough that the "X509v3 Extended Key Usage" has "EAP over LAN" in it?

ask microsoft and the other OS vendors who require this of their supplicants
(I would also ask why a supplicant requires the OSCP value when client wont be able to be online to check!!!)

alan


More information about the Freeradius-Users mailing list