On Wed, Feb 22, 2012 at 04:11:00PM -0600, John Dunning wrote:
devices. With Windows 7 (SP1) we're fine as long as we leave "validate server certificate" unchecked. As soon as we enable
So your general server config is good.
(1.3.6.1.5.5.7.3.1) Extended Key usage. The cert listed in the "certificate_file" entry in /etc/freeradius/eap.conf contains, is the catted contents of the wildcart cert, the intermediate
Don't know if Windows will handle a wildcard cert here.
cert, and the root CA (which, in theory, since Windows 7 includes this shouldn't be needed?), all in one file.
Try putting just the server cert in that file, and importing the intermediate cert into the Windows store. I hit similar the other week (although PEAP/EAP-TLS and not a wildcart cert). Windows wouldn't play ball unless it already had the intermediate, even though FR was sending it over. As I was in the middle of moving from test to production at the time and it wouldn't actually matter to me in the final config, I put it down to 'one of those many stupid things Microsoft doesn't do very well', and moved on. So there may have been a way to fix it and I might have thought bad of Microsoft unnecessarily (doesn't often happen), but I didn't play to find out. But if importing the intermediate makes it work, that might help point you in the right direction. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>