What kind of error in client-cert using EAP?
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Tue Sep 19 11:47:10 CEST 2006
> Hello Alan,
>
> Alan DeKok schrieb:
>> No. It means that there is NO client cert. The authentication
>> process continues, so it's obviously not a catastrophic problem.
>
> Is it simply not sent, or somehow not available? Because I know for
> sure that there is a cert on the client. And I did nothing else, than
> on the other machines where it works since 2 weeks.
>
> Just to make it explicit: I create a user-cert in TinyCA2(linux). I
> export the cert as a p12 and include the key and the CA into that p12
> container. I also disable the passphrase. I put that file on the
> network where the client can find it.
>
I have a similar configuration working (EAP-TLS for XP and TinyCA
generated certs). I found out that the way certificates are created is
important. Can you check the following procedure (something I have
already posted this to you in this list, sorry for reposting it ;-) ).
---------------------------------------------
* Create a certificate per host:
- cn must contain the Netbios name of the PC
- the extension SubjectAltName must contain the Netbios name of the PC
(I think)
- The field Extended Key Usage must contain the option 'TLS Web Client
Authentication' (OID 1.3.6.1.5.5.7.3.2)
- Note that the Radius server's certificate must contain the
1.3.6.1.5.5.7.3.1 extension
- The certificate can be exported into a PKCS12 file .p12 (this
includes the private key). The certificate MUST be installed in the
HOST CERTIFICATE STORE (simply double clic the file will NOT work): Run
'mmc' and Add the Snap-in 'Certificate>Local Computer', then in the
private folder import the .p12 file and in the Trusted Root CA the CA
certificate).
--------------------------------
Can you check the Netbios names and CN correspondance ?
I've seen that you integrate the emailaddress in the subject (an option
in TinyCA): can you disable this ?
> On the client I open the MMC as local admin and include the Snap-In
> Certificates for Local-Computers. Then I import the created cert into
> My-Certificates and copy the CA-Cert into the "trusted certification
> centers" tree (it's in german). It worked for another 2 W2K PCs and
> for four XP-Pro-SP2 PCs.
>
This is ok, but are the certificates _exactly_ generated in the same way ?
Can you post 2 certificates: one which is working, another the is not ?
Could you also check the certs validity date and System Time of your hosts ?
HTH,
Thibault
More information about the Freeradius-Users
mailing list