Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi,
If someone could give me the quickest and easiest way to creating a root certificate that's works with Windows XP, that would be great.
either use your current tool but include the XP extensions as required, or use the 1.1.6 FreeRADIUS source code - to simply use the script in that to generate such certs OR use the CVS version of FreeRADIUS which has a nice new certificate generation tool which will configure the eap.conf for you and create nice shiny certs for use! ;-)
I have another CA running on a Windows 2003 server, can I make use of this CA somehow?
yes. that will generate the right type! use the EAP-TLS HOWTO document thats widely linked on may freeradius help locations. alan
We have an problem here where I work. It seems like Windows Vista no longer can open 802.1x / WAP / TKIP / PEAP / MS-CHAP-V2 connections using the built in stack to our FreeRadius 1.0.4 install. It worked, mostly, in XP. It worked WELL frmo the IBM Connect software than comes with Thinkpad's (our laptop of choice here). However, that software, in Vista, is mostly a front end of the internal stack and doesn't work anymore either. Any ideas? - Yossie
We have an problem here where I work. It seems like Windows Vista no longer can open 802.1x / WAP / TKIP / PEAP / MS-CHAP-V2 connections
it's an issue with your cert not having all the correct attributes, update to the newest version of freeradius and read the eap documentation. I've gone thru the same frustration, blame Microsoft. Joe Vieira UNIX Systems Administrator Clark University
Hi,
it's an issue with your cert not having all the correct attributes, update to the newest version of freeradius and read the eap documentation. I've gone thru the same frustration, blame Microsoft.
no. if it worked with XP then the certs are fine - the server needs to be upgraded to support Vista. from the changelog: FreeRADIUS 1.1.4 ; Date: 2007/01/14 00:37:15 , urgency=medium Feature improvements * Major enhancements to rlm_pap, that make "encryption_scheme" a thing of the past. See "man rlm_pap" for details. * Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use work-arounds that enable Windows Vista clients to work. * Added preliminary code to support Firebird. (closes: #378) Use at your own risk! * Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more platforms. (closes: #402) * Add a new "reply-name" directive in rlm_sqlcounter to define the name of the reply attribute. (closes: #403) * Added more dictionaries and attributes (closes: #408, among others) * Print ntlm_auth failure reason in Module-Failure-Message (closes: #398) * radsqlrelay is able to get the DB password from a file instead of command line. (closes: #395) note item 2 and 4. alan
Hi,
We have an problem here where I work. It seems like Windows Vista no longer can open 802.1x / WAP / TKIP / PEAP / MS-CHAP-V2 connections using the built in stack to our FreeRadius 1.0.4 install. It worked,
you need 1.1.4 or higher - best to get 1.1.6 anyway :-) Vista supported required a few tweaks to the SSL parts of the freeradius code. we find it working fine here alan
Hi. A.L.M.Buxey@lboro.ac.uk wrote:
either use your current tool but include the XP extensions as required,
Just to be precise. The named extensions are PKIX extensions for serverAuth (OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID 1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant). Also if a client certificate is used on Windows with EAP-TLS the extendedKeyUsage "Microsoft SmartCard Logon" (OID 1.3.6.1.4.1.311.20.2.2) *must not* be present because Windows won't be able to use/choose such a client certificate to authenticate at the RADIUS server. It is only Windows that is looking at these extededKeyUsages in the certificate and expecting the correct extensions here. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Joe Vieira -
Joseph Silverman -
Reimer Karlsen-Masur, DFN-CERT