What kind of error in client-cert using EAP?

Thibault Le Meur Thibault.LeMeur at supelec.fr
Thu Sep 21 14:37:48 CEST 2006

> Hi,
> it works now. Thanks Thibault, you saved my day, again! :-)

You're welcome

>> - the extension SubjectAltName must contain the Netbios name of the 
>> PC (I think)
> This had no meaning in my tests. Anyway, there must be chosen a type 
> of that field. Did you take DNS-Name, Email or Raw?

I use DNS-Name

> I took now DNS-Name, but in another case there was an email in that 
> field and the systems authetifies without problems. So I think you 
> can leave this field out.


>> I've seen that you integrate the emailaddress in the subject (an 
>> option in TinyCA): can you disable this ?
> Yupp, this was the mistake. It is somehome on by default. I switched 
> it off and created new certs as you wrote and the XP Machine works 
> now too. Hell, I gonna print your mail and hang it in front of me.

The problem is that Microsoft doesn't describe exactly how certificates 
must be generated in order to have host authentication nor how the EAP 
request is made (using host/Netbios-name as the identity). This is 
because (I presume), they want us to use IAS and their certificate 
management software.

>> This is ok, but are the certificates _exactly_ generated in the same way ?
> Obiously not. As I made the same mistake over and over again. I have 
> now only the problem of one W2K Machine, not even asking the 
> Radius-Server.

I'm not sure this will be an issue on the radius server.

> I assume it's some kind of inkompatibilty of drivers or NIC.

I don't think so. I think it's Windows XP that doesn't recognize the 
host certificate as a valid one because its "subject" doesn't match 
exactly the netbios name of the host.

> Thanks for your help:
> Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif

Thanks, could you send me a fridge as well to keep them fresh... It's 
hot in my office today ;-).


More information about the Freeradius-Users mailing list