Windows Phone CA verification debugging
Hi list While I've been quite successful in making preconfigured profiles and docs for our students on how to make proper proper wireless configuration, I'm encountering some issues with those (yet quite rare) people with Windows Phone 8 (WP8) systems. WP8 devices are yet able to connect without (any) CA or common name verification, but seem to fail when I let them check the CA by choosing it from the device' CA store. (As usual), the client-side error message is not helpful at all (it fails to connect without any error message). On the desktop side one can at least fire up 'netsh ras diagnostics' to trace (P)EAP and CHAP during connection which can help figuring out at least something. But on WP8, well there is no such thing that I've found. Is there anyone on the FR list who already had to mangle a WP8 device? -- Mathieu
Hi,
encountering some issues with those (yet quite rare) people with Windows Phone 8 (WP8) systems. WP8 devices are yet able to connect without (any) CA or common name verification, but seem to fail when I let them check the CA by choosing it from the device' CA store. (As usual), the client-side error message is not helpful at all (it fails to connect without any error message).
we've had no problems with self-signed CA or with 3rd party CA and standard RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point) URL defined. that can either be at CA level or RADIUS level - or both. eg crlDistributionPoints = URI:http://yoururl.here/ca.crl in the server extensions. the HEAD for 2.2.x and 3.x FreeRADIUS has the required change to the certificate generating code for this if you want to check/validate/verify alan
Hi, 2013/9/16 <A.L.M.Buxey@lboro.ac.uk>
we've had no problems with self-signed CA or with 3rd party CA and standard RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point) URL defined. that can either be at CA level or RADIUS level - or both.
eg
crlDistributionPoints = URI:http://yoururl.here/ca.crl
in the server extensions.
Thank you Alan, at least good to hear someone is out there who got it working. Hmm the server certificate though seems to contain a CRLDP. I'v tried removing personal and attach the openssl output at the end, maybe someone spots a problem... Do you happen to have Subject Alternate Names or would you avoid it with RADIUS? (That certificate does have them) I know for example that some exotic or (very old) browsers for example can have problems with SAN, but yet didn't encounter any with PEAP this far. The file also contains (in order of appearance): Root CA cert, 1 intermediate CA, then the server cert if that's of importance. -- Mathieu # openssl x509 -text -in /etc/freeradius/certs/myserver.pem Certificate: Data: Version: 3 (0x2) Serial Number: <snip!> Signature Algorithm: sha1WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA Validity Not Before: <snip> Not After : <snip> Subject: ..., C= ... <snip> Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: snip! (yes it's larger than 1024 bit) ;-) Modulus: <snip> X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73 X509v3 Authority Key Identifier: keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 X509v3 Subject Alternative Name: DNS: <snip!> X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 Policy: 1.3.6.1.4.1.23223.1.2.3 CPS: http://www.startssl.com/policy.pdf User Notice: Organization: StartCom Certification Authority Number: 1 Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. X509v3 CRL Distribution Points: Full Name: URI:http://crl.startssl.com/crt2-crl.crl Authority Information Access: OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca CA Issuers - URI: http://aia.startssl.com/certs/sub.class2.server.ca.crt X509v3 Issuer Alternative Name: URI:http://www.startssl.com/ Signature Algorithm: sha1WithRSAEncryption <snip> -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE-----
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Mathieu Simon