tnt@kalik.net wrote:
Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept
Don't do that. Don't force Auth-Type. It's not going to help and it will break everything else.
On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate.
I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this.
That is the problem. Windows won't recongnize server certificate as intermediate ca any more. The "cure" is to try signing client certificates with ca certificate instead. I have posted to the list an altered Makefile with make caclient.pem command added a few days ago. If you can't find it I will post another one this evening.
Ivan Kalik Kalik Informatika ISP
I did find the Makefile. Thanks! I tried to do a make caclient.pem but it threw this error: openssl req -new -out caclient.csr -keyout caclient.key -config ./client.cnf Generating a 2048 bit RSA private key ...........+++ .......+++ writing new private key to 'caclient.key' ----- openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) make: *** [caclient.crt] Error 1 I dont need to re-do my CA and server cert prior to making the client certs do I? Here is my client.cnf. Its almost as if it doesnt understand that it needs to take the values from [ CA_default ] [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 7300 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match localityName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = client default_bits = 2048 input_password = <hidden> output_password = <hidden> [client] countryName = US stateOrProvinceName = Michigan localityName = Hancock organizationName = REMC1 emailAddress = support@remc1.net