Windows Client Authentification bevore Domain logon
Ben Walding
ben.walding at gmail.com
Fri Sep 2 14:05:50 CEST 2005
Things to look for for machine auth:
* SP2 or at least KB826942 loaded
* AuthMode key set to 2
* certs + ca loaded into machine store
* certs with the correct attributes + the magic attribute I've mentioned
before
* make sure you select the correct CA in "Validate server certificate"
section
* send a big bouquet of flowers to Microsoft for having an utterly
unscriptable interface for wireless
If you've got multiple private certs loaded into the machine store then you
might have issues with the selection process - as far as I can tell it
chooses the certificate with the newest "Not Before" attribute (but that
could be an artifact of some other selection criteria).
Also watch for timing issues - XP won't use certificates if the time is
outside the validity period (i.e. your CA time is ahead of your workstation
time).
Most of the tutorials cover most of this, but they almost never talk about
untangling the knots from slight misconfiguration issues.
(Yes, I've dealt with almost every quirk there is to do with EAP-TLS; until
tomorrow when we find some more)
Cheers,
Ben
On 9/2/05, Marc-Henri Boisis-delavaud <marc-henri.boisis-delavaud at univ-lr.fr>
wrote:
>
>
> Le 31 août 05 à 18:53, Alan DeKok a écrit :
>
> > =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= <j.cluzel at online.fr> wrote:
> >
> >> Sorry, but I didn't find any references of this OID in the
> >> creation scripts in the "scripts" directory (Ca.all, CA.certs...).
> >> The only OID added seem to be 1.3.6.1.5.5.7.3.1 and
> >> 1.3.6.1.5.5.7.3.2 (in "xpextensions").
> >> Is there any way to do this without patching openssl (like
> >> explained there http://lists.cistron.nl/pipermail/freeradius-users/
> >> 2004-July/034141.html) ?
> >>
> >
> > You can use that OID just like the other ones.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> > users.html
> >
>
> Can you explain how we can activate 802.1x authentification before
> logon on xp. And what are the prerequisites ?
> Marc
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050902/03d265a2/attachment.html>
More information about the Freeradius-Users
mailing list