What kind of error in client-cert using EAP?

Robert Myers ccrider at whiterose.net
Thu Sep 21 07:50:40 CEST 2006


I don't know if my chiming in will make a difference or not.

But windows can authenticate with a machine certificate or a user 
certificate....

If you're doing the machine certificates, please say so, I'm a little 
confused as to what exactly you are doing now.

-Bob

Thibault Le Meur wrote:
>> Hello Alan,
>>
>> Alan DeKok schrieb:
>>>   No.  It means that there is NO client cert.  The authentication
>>> process continues, so it's obviously not a catastrophic problem.
>>
>> Is it simply not sent, or somehow not available? Because I know for 
>> sure that there is a cert on the client. And I did nothing else, than 
>> on the other machines where it works since 2 weeks.
>>
>> Just to make it explicit: I create a user-cert in TinyCA2(linux). I 
>> export the cert as a p12 and include the key and the CA into that p12 
>> container. I also disable the passphrase. I put that file on the 
>> network where the client can find it.
>>
>
> I have a similar configuration working (EAP-TLS for XP and TinyCA 
> generated certs). I found out that the way certificates are created is 
> important. Can you check the following procedure (something I have 
> already posted this to you in this list, sorry for reposting it ;-) ).
>
> ---------------------------------------------
> * Create a certificate per host:
> - cn must contain the Netbios name of the PC
> - the extension SubjectAltName must contain the Netbios name of the PC 
> (I think)
> - The field Extended Key Usage must contain the option 'TLS Web Client
> Authentication' (OID 1.3.6.1.5.5.7.3.2)
> - Note that the Radius server's certificate must contain the 
> 1.3.6.1.5.5.7.3.1 extension
> - The certificate can be exported into a PKCS12 file .p12 (this 
> includes the private key). The certificate MUST be installed in the 
> HOST CERTIFICATE STORE (simply double clic the file will NOT work): 
> Run 'mmc' and Add the Snap-in 'Certificate>Local Computer', then in 
> the private folder import the .p12 file and in the Trusted Root CA the 
> CA certificate).
> --------------------------------
>
> Can you check the Netbios names and CN  correspondance ?
>
> I've seen that you integrate the emailaddress in the subject (an 
> option in TinyCA): can you disable this ?
>
>> On the client I open the MMC as local admin and include the Snap-In 
>> Certificates for Local-Computers. Then I import the created cert into 
>> My-Certificates and copy the CA-Cert into the "trusted certification 
>> centers" tree (it's in german). It worked for another 2 W2K PCs and 
>> for four XP-Pro-SP2 PCs.
>>
>
> This is ok, but are the certificates _exactly_ generated in the same 
> way ?
>
> Can you post 2 certificates: one which is working, another the is not ?
>
> Could you also check the certs validity date and System Time of your 
> hosts ?
>
> HTH,
> Thibault
>
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list