Message-Authenticator Attribute

Eliot, Wireless and Server Administrator, Great Lakes Internet support8 at greatlakes.net
Mon Mar 27 17:02:04 CEST 2006


> > Since you seem to know something about this, can you either:
> > 
> > A) Explain what the "extended key oid nonsense" is?
> > B) Point me to some place I can read about it?
> 
>   http://www.freeradius.org/doc/
> 
>   See the EAP-TLS stuff.
> 
>   Microsoft requires magic stuff in the server certificate, otherwise
> the windows supplicants silently stop talking to the AP.

Ok, I read the document, but I still do not understand something...

I am proxying the packets from the Cisco through the FreeRADIUS server
to the IAS server. EAP messages are exchanged between the supplicant and
the IAS server; the Cisco AP and FreeRADIUS server do not touch them,
correct? They just do RADIUS stuff and encapsulate the EAP messages,
right? And, if that is the case, then the IAS server and the supplicant
are doing all the TLS stuff. The IAS server obviously supports those OID
extensions. So, shouldn't the supplicant work properly? I mean, we are
not creating a TLS tunnel from the supplicant to the FreeRADIUS server
and another from the FreeRADIUS server to the IAS server -- it should be
from the supplicant to the IAS server, encapsulated in RADIUS, proxied
through the FreeRADIUS server. And, in that kind of setup, the
FreeRADIUS server should not be causing any problems, correct? 





More information about the Freeradius-Users mailing list