next I made client certificate (using standard scripts) #cd /etc/freeradius/certs #make client and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer Travel Mate 380 certificates installed in Trusted Root CA and Personal storages (I deleted all previous certs on that system)
I still have a problem - described in prvious post
exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate" http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu but I am frightened to make any changes without your permision in /etc/freeradius/certs/Makefile, and evethough I have your permission I still dont know what to change
Yes, we have been through this before. Change mak clients in Makefile, so that it uses ca and not server certificate to sign client certificates. I would create changes and save them as Makefile.CA. Perhaps that can be added into the distribution, so you would just rename Makefile to Makefile.old and Makefile.CA to Makefile in order to make this switch (and add comments about that in README file).
I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I did not find what to change in this file
Because that's openSSL stuff, not Freeradius. If you don't know what to change, I will post this file overnight, when I have a bit more time.
Ivan write:
Use your own domain. For EAP-TLS - no modification needed. I have seen you going on about PEAP as well. If those users are also using format user@your_domain, then create local realm your_domain - it won't interfere with EAP-TLS and will create Stripped-User-Name that can be used for authentication. I dont want to have a domain yet, no usernames, no password for usernames, no proxies, no domains at all
Yet:
User-Name = "user@example.com"
you created the user with the domain. As I said previously, there are preset example files in the default configuration. You need to alter clent.cnf and enter details for your test user without the domain in the name. If you need guidance about altering those files you should look it up on openSSL site. Ivan Kalik Kalik Informatika ISP