@Arran Cudbard-Bell
/ Is the prefix and suffix to the regular expression string. Any characters after the / suffix are used as modifiers. FreeRadius only supports the i modifier to make matches case insensitive.
\\\\ resolves to a literal back-slash. Regular expressions use the \ char as an escape char so it needs to be escaped with itself. FR also uses \ as an escape char so it has to be escaped with itself too. Hence the \\\\\ -> \\ -> \
This regular expression was written to stop *stupid* *stupid* *stupid* students from breaking authentication by entering something in the domain field. They kept entering sussex.ac.uk and user@sussex.ac.uk in the User Box in the windows supplicant, which resulted in. ... The regexp parses these as :
"%{1}" = user "%{2}" = domain
or
"%{1}" = user "%{2}" = Thanks again for the detailed comment, it saved me a lot of time and I will try to get more familiar with that kind of regular expressions. I will take your first solution, the domain was only excluded to see that the test certificates work which could bee generated with the Makefile provided in the FreeRadius Source.
Now where the test certificates are working (on Win XP AND Windows Mobile) I will have to investigate again in my old certificates, because my one are only working with Windows XP supplicant and wpa_supplicant using Linux. The Windows Mobile supplicant cannot use them correctly although the certificates are the same one. Very strange! Yesterday evening I found the solution, why my certificates doesn't work with the Windows Mobile supplicant although the Windows XP supplicant does: I'm using TinyCA to create and mange my certificates. By default the certificates are generates with a Keylength of 4096 using RSA encryption and SHA-1 as Signature Algorithm. When I took a look into the Makefile which generates the test certificates in the freeradius source a Keylength of only 2048 is used and MD5 as Signature Algorithm, so the devil must be in there somewhere. And indeed, it doesn't matter, which Algorithm you are using for signing (MD5 or SHA-1) but the Keylength seems to be very important for Windows Mobile devices. All certificates I generated with a Keylength of 2048 are working fine, all certificates wit a Keylength of 4096 doesn't work on the Mobile device (although they work fine on a Windows XP system).
In short: The build in supplicant of the Windows Mobile devices (I tested one with Windows Mobile 2003SE and one with Windows Mobile 6 Professional) doesn't like certificates with a Keylength of 4096!!! Thanks again for all help I got here on the mailing list, the next days/weeks I'm going to write some HOWTO for Mobile Devices in order to give something back to you :-) @Alan DeKok Wont it be better, to change the signing process in te provided Makefile so that a client certificate is signed by the ca certificate instead from the server certificate? When using TinyCA every certificate is signed from the ca certificate, too. I know both will work, if you specify the correct ca-cert in eap.conf, but changing that point would make the process (in my opinion) more consistent: You have to install the ca certificate and the client certificate on the client-computer, why should client cert by signed from the server cert? When I looked around in Web previous to find some god HOWTO's about setting up Freeradius using EAP-TLS I always found it that way, that the ca cert signs all other certs and by the way, the HOWTO in the freeradius Wiki (EAPTLS.pdf) explains it that way, too ;-) Best regards Stefan Puch