<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><div>> But I think this problem do not affect peap because peap do not use <br>> client certs, you only need to install ca.der into client machine and <br>> put the passwords</div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br>i refer to that:<br><br><span style="font-weight: bold; font-style: italic;">> so my question is, if the certificate (with server extension) is
missing on the client, could it interfer in EAP-PEAP authentication
success?</span><br style="font-weight: bold; font-style: italic;"><br style="font-weight: bold; font-style: italic;"><span style="font-weight: bold; font-style: italic;">yes.</span><br style="font-weight: bold; font-style: italic;"><br style="font-weight: bold; font-style: italic;"><span style="font-weight: bold; font-style: italic;">you need a RADIUS cert with the extensions...and if doing proper</span><br style="font-weight: bold; font-style: italic;"><span style="font-weight: bold; font-style: italic;">PEAP, you need the CA installed on the client too - with 'validate</span><br style="font-weight: bold; font-style: italic;"><span style="font-weight: bold; font-style: italic;">server certificate' checked and cross-linked (ie you choose</span><br style="font-weight: bold; font-style: italic;"><span style="font-weight: bold; font-style: italic;">the correct CA in the list!)</span><br style="font-weight: bold; font-style: italic;"><br
style="font-weight: bold; font-style: italic;"><span style="font-weight: bold; font-style: italic;">alan</span><br><br>really?? it seems to affect PEAP too when freeradius authenticates against Active Directory.<br><br>if i understood well,PEAP authentication need client side a login + password and server side a certificate in order to the authentication process to success!<br>so, which certificate have i to install on client side?<br>- i did ever try ca.der with no success! 'after an access-challenge, the request simply stops.<br>- i am trying sever.crt too, with no more success. i install it in intermediate authority containeer,but it won't be available in the list of the wireless manager of xp.<br>if you have a suggestion, i am open!<br><br><br><span style="font-weight: bold; font-style: italic;"></span><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;">----- Message d'origine ----<br>De : Sergio
<sergioyebenes@alumnos.upm.es><br>À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br>Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s<br>Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)<br><br>Reveal MAP escribió:<br>> HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in <br>> default configuration?<br>><br>> - this bug is suspected to make i can't do EAP-PEAP and affect the CRL <br>> management too. it's a real problem<br>><br>><br>><br>> ----- Message d'origine ----<br>> De : Alan DeKok <<a ymailto="mailto:aland@deployingradius.com" href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>><br>> À : FreeRadius users mailing list <<a ymailto="mailto:freeradius-users@lists.freeradius.org" href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>> Envoyé
le : Jeudi, 24 Juillet 2008, 19h54mn 32s<br>> Objet : Re: cert bootstrap bug? (was Re: definitively, I have a <br>> problem with eap-tls)<br>><br>> Sergio wrote:<br>> > But the debug I posted shows that radius doesn't recognize the issuer of<br>> > client cert using default certs. If default certs works and I don't need<br>> > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting<br>> > alan?<br>><br>> You need to follow the documentation in eap.conf.<br>><br>> # If CA_file (below) is not used, then the<br>> # certificate_file below MUST include not<br>> # only the server certificate, but ALSO all<br>> # of the CA certificates used to sign the<br>>
# server certificate.<br>> certificate_file = ${certdir}/server.pem<br>><br>> Have you done that?<br>><br>> Alan DeKok.<br>> -<br>> List info/subscribe/unsubscribe? See <br>> <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>><br>> ------------------------------------------------------------------------<br>> Envoyé avec Yahoo! Mail <br>> <<a href="http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html" target="_blank">http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html</a>>.<br>> Une boite mail plus intelligente.<br>><br>But I think this problem do not affect peap because peap do not use <br>client
certs, you only need to install ca.der into client machine and <br>put the passwords<br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></div></div></div><br>
<hr size="1">
Envoyé avec <a href="http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html">Yahoo! Mail</a>.<br>Une boite mail plus intelligente. </a></body></html>