They are, it's part of our default domain policy. On Tue, Aug 9, 2011 at 20:29, Sallee, Stephen (Jake) <Jake.Sallee@umhb.edu>wrote:
Windows clients are on the domain, so the user cert and the CA are added by default when you join the machine to the domain****
That is true so long as you are using a self-signed cert assigned by your enterprise CA. We had this same issue and we had to manually import the cert to get it to work. Our computers are on a Windows AD Domain. Hope that helps.****
** **
Jake Sallee****
Godfather of Bandwidth****
System Engineer****
University of Mary Hardin-Baylor****
900 College St.****
Belton, Texas****
76513****
Fone: 254-295-4658****
Phax: 254-295-4221****
** **
*From:* freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org[mailto: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] *On Behalf Of *Petar Marinkovic *Sent:* Tuesday, August 09, 2011 12:17 PM *To:* FreeRadius users mailing list *Subject:* Re: Validate server certificate problem****
** **
Windows clients are on the domain, so the user cert and the CA are added by default when you join the machine to the domain****
On Tue, Aug 9, 2011 at 18:29, Sallee, Stephen (Jake) <Jake.Sallee@umhb.edu> wrote:****
I believe you need to install the server cert and any intermediate certs on the client before the validate server cert option will work.****
****
Jake Sallee****
Godfather of Bandwidth****
System Engineer****
University of Mary Hardin-Baylor****
900 College St.****
Belton, Texas****
76513****
Fone: 254-295-4658****
Phax: 254-295-4221****
****
*From:* freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org[mailto: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] *On Behalf Of *Petar Marinkovic *Sent:* Tuesday, August 09, 2011 11:16 AM *To:* freeradius-users@lists.freeradius.org *Subject:* Validate server certificate problem****
****
I've set up latest version of FreeRadius from source on Ubuntu, and I cannot get EAP-TLS and PEAP to work when the option "Validate server certificate" is on. We're using Windows CA to be able to auth users on the domain. I saw this old article http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg0... on how to generate server certificate, but that fails for me in both ways****
1st fails because of a missing template on Windows CA - how to create the template to match what freeradius needs?****
2nd fails with the following error CA certificate and CA private key do not match****
2634:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:406:****
That's strange, cause CA cert and CA private key are in the same file (as noted in the text) and I didn't mistake the password (since I followed the message blindly, with the same password).****
****
When I untick the "Validate server certificate" in Windows clients (XP, Windows 7) I'm able to connect with both EAP-TLS and PEAP****
****
Any help is appreciated, thanks in advance.****
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html****
** **
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html