But I think this problem do not affect peap because peap do not use client certs, you only need to install ca.der into client machine and put the passwords
i refer to that:
so my question is, if the certificate (with server extension) is missing on the client, could it interfer in EAP-PEAP authentication success?
yes. you need a RADIUS cert with the extensions...and if doing proper PEAP, you need the CA installed on the client too - with 'validate server certificate' checked and cross-linked (ie you choose the correct CA in the list!) alan really?? it seems to affect PEAP too when freeradius authenticates against Active Directory. if i understood well,PEAP authentication need client side a login + password and server side a certificate in order to the authentication process to success! so, which certificate have i to install on client side? - i did ever try ca.der with no success! 'after an access-challenge, the request simply stops. - i am trying sever.crt too, with no more success. i install it in intermediate authority containeer,but it won't be available in the list of the wireless manager of xp. if you have a suggestion, i am open! ----- Message d'origine ---- De : Sergio <sergioyebenes@alumnos.upm.es> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Reveal MAP escribió:
HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in default configuration?
- this bug is suspected to make i can't do EAP-PEAP and affect the CRL management too. it's a real problem
----- Message d'origine ---- De : Alan DeKok <aland@deployingradius.com> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s Objet : Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the issuer of client cert using default certs. If default certs works and I don't need to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------ Envoyé avec Yahoo! Mail <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>. Une boite mail plus intelligente.
But I think this problem do not affect peap because peap do not use client certs, you only need to install ca.der into client machine and put the passwords - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr