EAP doest work with Cisco Catalyst 2950?

Thai Duong thaidn at yahoo.com
Tue Jul 25 18:54:51 CEST 2006

Hi Alan,

--- Alan DeKok <aland at nitros9.org> wrote:

>   That is exactly what happens when the certificate
> doesn't have the
> proper OID's.
>   Alan DeKok.

I can be sure the client certificate has the Enhanced
Key Usage showing Client Authentication
( I have no way to verify whether
the server certificate contains proper OID but here is
the procedure I generate that certificate:
1. I created a file named xpextensions with the
following content:

thaidn at inspiron:/etc/ssl$ cat xpextensions
[ xpclient_ext]
extendedKeyUsage =
[ xpserver_ext ]
extendedKeyUsage =

2. Create the server signing request:

thaidn at inspiron:/etc/ssl$ openssl req -new -nodes
-keyout server_key.pem -out server_req.pem -days 730
-config ./openssl.cnf

then sign it:

thaidn at inspiron:/etc/ssl$ openssl ca -config
./openssl.cnf \
-policy policy_anything -out server_cert.pem \
-extensions xpserver_ext -extfile ./xpextensions \
-infiles ./server_req.pem

3. Open the signed certificate and delete everything
before the line -----BEGIN CERTIFICATE-----.
Concatenate it and the key file into a single file

thaidn at inspiron:/etc/ssl$ cat server_key.pem
server.cert.pem > \

The 3rd step is an extra step that the guide
(http://www.linuxjournal.com/node/8095/print) told me
to do.

Is it correct? I doubt maybe the problem remains in
the OpenSSL library bunlded with Ubuntu 6.06. Do you
think so? Please advise.


Thai Duong

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the Freeradius-Users mailing list