On Sat, 3 Oct 2015 00:30:31 +0100 Matthew Newton <mcn4@leicester.ac.uk> wrote: [snip]
I just extracted your cert from the EAP-Message, and you've not got the TLS Server Auth OID (1.3.6.1.5.5.7.3.1) in it.
On that basis, could you please explain to us all how the heck you managed to get it to work at all the second time... :-)
*You* are asking *me*? :)
Re-generate the server certificate according to http://wiki.freeradius.org/guide/Certificate_Compatibility (as the original message said) and you should be good.
I saw that page. Several times. Nothing I saw there appeared to lead me to any... well, anything, really. But, based on your re-urging, I looked at it again, went "Hmmm... I wonder...?", took a guess and tried (on the server where FreeRADIUS is installed)... $ locate xpextensions /usr/share/doc/freeradius/examples/certs/xpextensions Ohhh kay. (I won't ask why that wasn't just put on the Wiki page--I suppose there's a good reason.) Looked... Now I *know* I never had to do that before. In fact: The certs on my existing server expired just a month ago or so and I had to generate new ones... Just double-checked: The FreeRADIUS on current production server is using the same self-signed certs as everything else on that server. My confusion increases. How is it I've been running everything from MS-Win95 through MS-Win7 on my existing network, using FreeRadius 1.1.1, and plain old self-signed server certs, w/o any special OIDs, all these years? And never installing CA certs (which eventually expire) on all the PCs? Help me to understand, please? Is this a result of some change between 1.1.x and 2.x.x? Is this how you add those OIDs: http://fincelfamily.com/tutorial_radiusserver.html ??? Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.