@Reimer Karlsen-Masur
If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client certificates you could work around this by disabling the trust setting of valid certificate usage "Microsoft Smartcard Logon" in the CAs properties in Windows build-in certificate store on the PDA. As the "Microsoft Smartcard Logon" extendedKeyUsage *is NOT part* of the client certificates there should be no problem. Something different seems to be not correct.
Did you get a PDA using Windows Mobile working with EAP-TLS with Windows build-in supplicant and freeradius? If yes, can you tell me which freeradius version? I did one get a Windows Mobile working using the build-in supplicant and EAP-PEAP using mschapv2 and freeradius 1.1.7 @Alan DeKok I didn't find any test certificates that come with 2.0.1. I think you talk about the "bootstrap" script which can create some test certificates, don't you? If so, here are the results: - running "bootstrap" creates ca.pem, server.pem, dh and random which are used with the radius server (server.pem is signed with ca.pem) - running make client.pem creates a client certificate which is signed by the server certificate (in my opinion that cannot work but I did). I used that certificate and ca.pem (according to the README) with wpa_supplicant on my linux laptop - when trying to connect to the radius server the validation fails with following output from "radiusd -X" (because the the client cert is not signed with ca.pem): ... ... +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 038d], Certificate --> verify error:num=20:unable to get local issuer certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [user@example.com/<via Auth-Type = EAP>] (from client AP-Tower port 1 cli 00095BC95B52) Found Post-Auth-Type Reject +- entering group REJECT ++- group REJECT returns noop ------------------------------------------------------------------------------------------ - Then I changed the Makefile, so that the client cert is signed with the ca.pem like the server certificate is (wouldn't be that the correct way?) - when trying to connect to the radius server the validation success with following output from "radiusd -X": ... ... +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0750], Certificate chain-depth=1, error=0 --> User-Name = user@example.com --> BUF-Name = Example Certificate Authority --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority --> verify return:1 chain-depth=0, error=0 --> User-Name = user@example.com --> BUF-Name = user@example.com --> subject = /C=FR/ST=Radius/O=Example Inc./CN=user@example.com/emailAddress=user@example.com --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 23 to 192.168.0.8 port 1140 EAP-Message = 0x010800450d800000003b140301000101160301003031e600309274b2c95b4c91d60b518c86b678535f6f72e1ea9786b7ff77f6f405392a8 b9ddcd13285e0683603d2669f42 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80a5541786ad5978313d7a01a03396c4 Finished request 6. Going to the next request Waking up in 0.2 seconds. rad_recv: Access-Request packet from host 192.168.0.8 port 1140, id=24, length=198 Message-Authenticator = 0xd8bec720128818f3ea6b29158e3a0cae Service-Type = Framed-User User-Name = "user@example.com" Framed-MTU = 1488 State = 0x80a5541786ad5978313d7a01a03396c4 Called-Station-Id = "000FB5BA4F59:Flugplatz" Calling-Station-Id = "00095BC95B52" NAS-Identifier = "AP-Tower" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800060d00 NAS-IP-Address = 192.168.0.8 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ... ... +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler ++[eap] returns ok Login OK: [user@example.com/<via Auth-Type = EAP>] (from client AP-Tower port 1 cli 00095BC95B52) +- entering group post-auth ------------------------------------------------------------------------------------------ The problem is, that after the "Login OK" nothing futher happens, e.g. the clients cannot carry using dhcp. The dhcp-client is started, but the request doesn't reach the dhcp-server. So I downgraded again from 2.0.1 to freeradius 1.1.7 and tested everything again: The first client certificate, which was signed with der server certificate didn't work, the second one worked fine AND the when after "Login OK" the dhcp-client is started, the dhcp-server gets the requests and can answer. The first question I would like to get an answer for is: Which certificate is needed to sign the client certificate, the CA certificate or the server certificate? The second question is: Are there any further suggestions or do I have to make an ethereal trace? Perhaps you can send me some test certs that should really work, so that I can exclude the certs when debugging/analyzing the rest? Best regards Stefan Puch