eaptls certificate question
My radius does an eaptls 802.1x authentication with looking into AD to get group information and finally consulting the users file, to assign the correct vlan. This works without problems. When I configure another certificate_file/private_key_file in eap.conf, the authentication process does not succeed. The obvious difference between the working and the not working configuration is, that in the bad case, the certificate is issued by an intermediate ca, not by the root ca. May this chaining have negative influence on the configuration? If this is not the case, maybe another reason may be found in radiusd -AX's lengthy output: http://www.wegener-net.de/fr/typescript Thanks Norbert Wegener
Norbert Wegener <nw@sbs.de> wrote:
The obvious difference between the working and the not working configuration is, that in the bad case, the certificate is issued by an intermediate ca, not by the root ca. May this chaining have negative influence on the configuration?
1.0.x doesn't support certificate chains. 1.1.0 does. Alan DeKok.
Alan DeKok wrote:
Norbert Wegener <nw@sbs.de> wrote:
The obvious difference between the working and the not working configuration is, that in the bad case, the certificate is issued by an intermediate ca, not by the root ca. May this chaining have negative influence on the configuration?
1.0.x doesn't support certificate chains. 1.1.0 does.
hm: Script started on Mon Feb 13 19:34:45 2006 lnxad:/etc # radiusd -v radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 13 2006 at 19:31:10 Norbert Wegener
On 2/13/06, Norbert Wegener <nw@sbs.de> wrote:
Alan DeKok wrote: 1.0.x doesn't support certificate chains. 1.1.0 does.
hm: Script started on Mon Feb 13 19:34:45 2006
lnxad:/etc # radiusd -v radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 13 2006 at 19:31:10
Did have the same issue like you last week, Alan pointed me to the required extensions needed in the certificates to use with FreeRadius. [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 In my case these extensions where missing in the certificate I got, did you check yours ?
Jorgen Rosink wrote:
On 2/13/06, Norbert Wegener <nw@sbs.de> wrote:
Alan DeKok wrote: 1.0.x doesn't support certificate chains. 1.1.0 does.
hm: Script started on Mon Feb 13 19:34:45 2006
lnxad:/etc # radiusd -v radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 13 2006 at 19:31:10
Did have the same issue like you last week, Alan pointed me to the required extensions needed in the certificates to use with FreeRadius.
[ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1
In my case these extensions where missing in the certificate I got, did you check yours ?
Thanks, but this seems not to be the problem. Those exensions exist in the certificate. At least I am able to see them, when importing the certificate into windows: Serverauthentication(1.3.6.1.5.5.7.3.1) Clientauthentication(1.3.6.1.5.5.7.3.2) Ip-security-IKE,intermediate(1.3.6.1.5.5.8.2.2) and the same certificate with openssl shows me: ... X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment 1.3.6.1.4.1.311.21.7: 0,.$+.....7...........$...@...n5...=......d... X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: That should be sufficient, correct? So maybe there is another reason for that problem? Norbert Wegener
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Jorgen Rosink -
Norbert Wegener