Everything lookslike it works, but PC is not authentified
Alexandros Gougousoudis
gougousoudis at kh-berlin.de
Mon Sep 4 10:20:02 CEST 2006
Hi Alan,
> It looks like it is doing machine authentication, in which case the
Correct.
> certs (both client and server) need the machine authentication OIDs,
I read that again and again, but I already have these OID in the certs.
Here a dump of my server-cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 40 (0x28)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT,
CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
Validity
Not Before: Aug 10 09:33:43 2006 GMT
Not After : Aug 10 09:33:43 2007 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT,
CN=radius.verwaltung.kh-berlin.de/emailAddress=sc-it at kh-berlin.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
42:A9:4A:9F:04:88:71:B1:78:D4:1A:5D:00:A5:66:8E:78:C0:45:FF
X509v3 Authority Key Identifier:
keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E
DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
serial:89:0D:6F:61:AC:0C:E0:05
X509v3 Issuer Alternative Name:
email:sc-it at kh-berlin.de
X509v3 Subject Alternative Name:
email:sc-it at kh-berlin.de
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
!!!!!!!!!!!!!!
Signature Algorithm: sha1WithRSAEncryption
[...]
Isn't that exactly what it should like?
And here the client:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 42 (0x2a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT,
CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
Validity
Not Before: Sep 1 11:18:32 2006 GMT
Not After : Sep 1 11:18:32 2007 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT, CN=vinfo-t1/emailAddress=vinfo-t1-neuer at local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
C0:72:0A:91:71:D9:E7:A9:73:CC:B4:B0:AD:17:B4:ED:61:AF:06:B9
X509v3 Authority Key Identifier:
keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E
DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
serial:89:0D:6F:61:AC:0C:E0:05
X509v3 Issuer Alternative Name:
email:sc-it at kh-berlin.de
X509v3 Subject Alternative Name:
email:vinfo-t1-neuer at local
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Client Authentication
!!!!!!!!!
Signature Algorithm: sha1WithRSAEncryption
[...]
What else could be a problem? How do you guys handle the
"host/<netbiosname>" problem? Could that brake the cert?
TIA
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst
Busch".
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
More information about the Freeradius-Users
mailing list