On 05/08/2011 17:00, John Dunning wrote:
Greetings all,
We've been running freeradius 1.x on Debian Lenny for some time with great success authenticating against Novell eDirectory/LDAP.
Our Linux guru has moved on to exciting new opportunities and while the rest of us are decent at linux we're certainly missing his input here :)
We're trying to update the system to Squeeze and move from eDirectory to Active Directory authentication to stay more easily within the debian package scope.
I think I largely have the system setup to do EAP-TLS/PEAP/MS-CHAPv2 with Windows 7 supplicant but for some reason I can't seem to get the EAP-TLS tunnel to fire up.
I've tried going through http://wiki.freeradius.org/Certificate_Compatibility with the delivered certs (which are evidently supposed to be compatible) but I seem to be missing something.
I've got NTLM_AUTH working correctly (once I actually get that far), so I'm hoping that if I can get this cert issue figured out I'll be good to go.
Using a Cisco AIR1220 AP and have tried both Windows 7 and android supplicants and get the same problem (see -X log below).
Thanks in advance!!
JD
certificate_file = "/etc/freeradius/certs/server.pem"
(1) Do: openssl x509 -in /etc/freeradius/certs/server.pem -noout -text Check that the output contains this: X509v3 Extended Key Usage: TLS Web Server Authentication ...If it doesn't see the "OIDs" comments in the FR wiki page. (2) Check that Windows 7 is correctly configured to trust your certificates. Refer to 15-19 on: http://www.wireless.bris.ac.uk/eduroam/instructions/go-vista/#wifi [obviously you need to trust your root CA, not mine though] For testing you can un-tick "Validate server certificate", but you should never do this with real credentials, or with real users. (3) Android probably isn't a good OS to use for AAA testing, because depending on which version you have there are various bugs with it's enterprise wi-fi support. Regards, James