Hello Alan,
Alan DeKok schrieb:
No. It means that there is NO client cert. The authentication process continues, so it's obviously not a catastrophic problem.
Is it simply not sent, or somehow not available? Because I know for sure that there is a cert on the client. And I did nothing else, than on the other machines where it works since 2 weeks.
Just to make it explicit: I create a user-cert in TinyCA2(linux). I export the cert as a p12 and include the key and the CA into that p12 container. I also disable the passphrase. I put that file on the network where the client can find it.
I have a similar configuration working (EAP-TLS for XP and TinyCA generated certs). I found out that the way certificates are created is important. Can you check the following procedure (something I have already posted this to you in this list, sorry for reposting it ;-) ). --------------------------------------------- * Create a certificate per host: - cn must contain the Netbios name of the PC - the extension SubjectAltName must contain the Netbios name of the PC (I think) - The field Extended Key Usage must contain the option 'TLS Web Client Authentication' (OID 1.3.6.1.5.5.7.3.2) - Note that the Radius server's certificate must contain the 1.3.6.1.5.5.7.3.1 extension - The certificate can be exported into a PKCS12 file .p12 (this includes the private key). The certificate MUST be installed in the HOST CERTIFICATE STORE (simply double clic the file will NOT work): Run 'mmc' and Add the Snap-in 'Certificate>Local Computer', then in the private folder import the .p12 file and in the Trusted Root CA the CA certificate). -------------------------------- Can you check the Netbios names and CN correspondance ? I've seen that you integrate the emailaddress in the subject (an option in TinyCA): can you disable this ?
On the client I open the MMC as local admin and include the Snap-In Certificates for Local-Computers. Then I import the created cert into My-Certificates and copy the CA-Cert into the "trusted certification centers" tree (it's in german). It worked for another 2 W2K PCs and for four XP-Pro-SP2 PCs.
This is ok, but are the certificates _exactly_ generated in the same way ? Can you post 2 certificates: one which is working, another the is not ? Could you also check the certs validity date and System Time of your hosts ? HTH, Thibault