WPA authentication works only with MacOS clients

Jason Wittlin-Cohen jasonwc at brandeis.edu
Tue Oct 17 06:52:56 CEST 2006 

Message: 5
Date: Mon, 16 Oct 2006 22:36:14 +0200
From: "Josh Shamir" <josh.shamir at gmail.com>
Subject: Re: WPA authentication works only with MacOS clients
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<8b3d60af0610161336k20473a1cw4410cbaa6eda17c7 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

"Hi Jason,
I want to use PEAP.
So I can use PEAP on a WinXP SP2 client without any other supplicant,
using his native supplicant. The problem is that with native WinXP
supplicant the authentication process failed, and freeradius server give
me an error regarding certificates. The strange thing is that with the
same certificates, PEAP works fine with MacOSx.

Could be a problem of certificates ? I generate certificates with
CA.all. Any ideas about how generate certificates that works also with
MS WixXP client?"

This is a common problem. Windows XP requires that the server and client
certificates have specific attributes. This is useful as it prevents a
main-in-the-middle attack where an authentic client masquerades as a
server with his client cert.

You need to use Microsoft's Extended Attributes:

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

See http://www.linuxjournal.com/node/8095/print for detailed
instructions how to create a server certificate that will work with PEAP
and MS clients. The HOWTO is for EAP-TLS which requires client and
server certificates. Since you are using PEAP, you just need to create
the server certificate. Good luck.

In particular you'll want to do:

openssl req -new -keyout server_key.pem -out server_req.pem -days 730
-config ./openssl.cnf

openssl ca -config ./openssl.cnf \
-policy policy_anything -out server_cert.pem \
-extensions xpserver_ext -extfile ./xpextensions \
-infiles ./server_req.pem

You'll now have server_cert.pem (Public Certificate) and server_key.pem
(Private Key which has no password). The public certificate will have
the Server extended key usage extensions set and now your XP client
should authenticate.

Jason Wittlin-Cohen

P.S: Sorry for the double post. My last message had flowed text making
it very difficult to read so I decided to resend it.









-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061017/a13cecf9/attachment.pgp>

More information about the Freeradius-Users mailing list