Stefan Puch wrote on 30.01.2008 11:13:
Hello everyone,
I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from "radiusd -X" I want to ask here if someone else has made similar experiences.
I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate).
Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began.
We know of problems with EE certificates in PDAs containing the "non-repudiation" flag. Additionally Windows build-in supplicants don't like EE certificates with the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2) when doing EAP-TLS. Apparently the latter issue can also be solved by just disabling the valid certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted usages properties on the system. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski