EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside

[alfonso.lazaro at eresmas.com]

On Sat, May 20, 2006 at 09:01:29AM +0200, Kr?mer Armin wrote:



	hi armin

	i am trying to configure eap-tls windows machine authentication, i am using openssl to create certificates, 

	i have created the servers certificates with OID  1.3.6.1.5.5.7.3.1, and client certificates with OID  1.3.6.1.5.5.7.3.2 extensions
	
	i am "trying" to follow the real important things:

> For machine authentication create an client Certifikate and now the real
> important things.
> 1.    The CN Name has to match with the local Computer name only or as an
>       full qualified name of the computer,both is possible.
> 2.    The Email field MUST!!!! Be filled in the full qualified Computer
> name
>       like workstatio1.exampledomain.de


	please will you send me certificate extensions running 

	openssl x509 -in valid_certificate -text -noout -fingerprint -sha1

	thanks in advance

	alfonso	

	
> Hi, 
> 
> first i wanna say thanks to all here fort he great helping setting up my
> radius as an part of my work at my Engineers-Exam work. 
> 
> Yesterday I finished my work and found my 2 Mistakes why computer
> authentication didn’t wor properly at my network and now I wanna share this
> for you all here,knowing some of you are having still the same problems:
> 
> First only the problem with machine authentication and after I passed my
> exams at 15.Juli I will post here an link to my whole Dokumentation
> describing how to set up my whole project including the following:
> 
> An CA created with TinnyCA as frontend for openssl, freeradius @debian
> stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules,
> VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing
> firstly an Machine Authentication(*tricky but possible*) pulled into and
> basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and
> VLAN, then Users can log onto the domain, getting their final
> User-Certifikate, thrown into their final working vlan and getting the final
> Subnet from the DHCP. This workes now great put firstly only the main
> problem, the machine certificates. 
> 
> What you hav e to do if you create it with TinyCA to get working
> Certifikates for machine Authentication in a short sequenze and where are
> the problems I figured out. 
> 
> OK setting up TinyCA is easy and the binding to freeradius is describeld
> here a lot. 
> 
> The final Steps are the following especially for Windows: 
> 
> Under Openssl-Configuration in TinyCA  put the OID  1.3.6.1.5.5.7.3.1 at the
> ServerCertifikate into ExtendedKey usage, and the 1.3.6.1.5.5.7.3.2 into
> Client Certifikate Extended Key Usage. 
> 
> This is basically and essential for successful authentication but not all.
> 
> For machine authentication create an client Certifikate and now the real
> important things. 
> 1.	The CN Name has to match with the local Computer name only or as an
> 	full qualified name of the computer,both is possible. 
> 2. 	The Email field MUST!!!! Be filled in the full qualified Computer
> name 
> 	like workstatio1.exampledomain.de
> 
> This entry is important for machine authentication because Windows XP
> searches for the field subjectAltName to find the certificate in the
> computer store. If this issent present authentication failes first time and
> after the internal counter of xp expire the second autjentication is
> successful(why??) But ok, add this and all is fine. 
> In the openssl.cnf of TinnyCA you can see that the Email field is copied to
> the field subjectAltName. I will write a letter to the developer of TinnyCA
> if he could make a separate field for this....
> 
> Export the certificate as PKS12 an check include certificate and fingerprint
> (if fingerprint is important I will figure out later and tell you,haven’t
> found time checking this) but the Key must be included. 
> 
> And the last thing is that you have to import the computercertifikate not
> per doubleclick (In this case the certificated is stored at the CurrentUser
> Store and you have to copy it over mmc to the computer store, but this
> doesn’t work, the certificate isn’t correctly found if you do this that
> way!!!!!) 
> Best ist to open mmc,doing a snap in of LocalComputer and the go to "Eigene
> Certifikate, right click onto it,All Tasks,import" then import the
> certificate and now you have the ca.certifikate and your computer
> certificate in the Store, now you have finaly to move the ca Certifikate
> into the root CertifikateStore under your ComputerAccountStore.
> 
> 
> That’s all at the mmc. 
> 
> Then go to the preferences of your network connection, Authentifikation tab,
> EAP-Tpye Propperties and at the list you have to check "Check
> Servercertifikate" uncheck Connect to this Server(this is optional) and at
> the list check your CA. 
> If you also have a User Certifikate installed you will find there your CA 2
> times. It is not important which you select, one should be enough. 
> 
> Finaly I can say what was here discussed you don’t have to set another OID
> which is discussed here at one thread and you only have to change your
> registry if you have special requiremens to the authentication behaviors.
> The Basic setting of registry seams to be enough. I added the SupplicantMode
> DWORD with a value of 3 but this only seams to get start authentication
> faster than without but is not essential for basic setup. 
> 
> OK this is only an small dirty description for the first time, a better one
> will follow soon. But I thought many of you struggling over this and it
> would be good posting this fast. Sorry for typing mistakes, may someone will
> correct this :-)
> 
> @Alan: Is their an interest posting my doku to the wiki, I can send the
> final document to you!
> 
> Greetings and good luck 
> 
> 
> Armin
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html