Windows clients are on the domain, so the user cert and the CA are added by default when you join the machine to the domain<br><br><div class="gmail_quote">On Tue, Aug 9, 2011 at 18:29, Sallee, Stephen (Jake) <span dir="ltr"><<a href="mailto:Jake.Sallee@umhb.edu">Jake.Sallee@umhb.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">I believe you need to install the server cert and any intermediate certs on the client before the validate server cert option will work.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:28.0pt;font-family:"Matura MT Script Capitals";color:#1F497D">Jake Sallee<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New";color:#1F497D">Godfather of Bandwidth<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New";color:#1F497D">System Engineer<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1F497D">University of Mary Hardin-Baylor<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1F497D">900 College St.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1F497D">Belton, Texas<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1F497D">76513<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1F497D">Fone: <a href="tel:254-295-4658" value="+12542954658" target="_blank">254-295-4658</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1F497D">Phax: <a href="tel:254-295-4221" value="+12542954221" target="_blank">254-295-4221</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> freeradius-users-bounces+jake.sallee=<a href="mailto:umhb.edu@lists.freeradius.org" target="_blank">umhb.edu@lists.freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Bjake.sallee" target="_blank">freeradius-users-bounces+jake.sallee</a>=<a href="mailto:umhb.edu@lists.freeradius.org" target="_blank">umhb.edu@lists.freeradius.org</a>]
<b>On Behalf Of </b>Petar Marinkovic<br>
<b>Sent:</b> Tuesday, August 09, 2011 11:16 AM<br>
<b>To:</b> <a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a><br>
<b>Subject:</b> Validate server certificate problem<u></u><u></u></span></p><div><div></div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I've set up latest version of FreeRadius from source on Ubuntu, and I cannot get EAP-TLS and PEAP to work when the option "Validate server certificate" is on. We're using Windows CA to be able to auth users on the domain. I saw this old
article <a href="http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html" target="_blank">http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html</a> on how to generate server certificate, but that
fails for me in both ways<u></u><u></u></p>
<div>
<p class="MsoNormal">1st fails because of a missing template on Windows CA - how to create the template to match what freeradius needs?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">2nd fails with the following error CA certificate and CA private key do not match<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">2634:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:406:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">That's strange, cause CA cert and CA private key are in the same file (as noted in the text) and I didn't mistake the password (since I followed the message blindly, with the same password).<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">When I untick the "Validate server certificate" in Windows clients (XP, Windows 7) I'm able to connect with both EAP-TLS and PEAP<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Any help is appreciated, thanks in advance.<u></u><u></u></p>
</div>
</div></div></div>
</div>
<br>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>