Win XP with 802.1x PEAP (EAP-MSCHAP V2)

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Fri Apr 27 10:11:58 CEST 2007


Hi.

A.L.M.Buxey at lboro.ac.uk wrote:
> either use your current tool but include the XP extensions as required,

Just to be precise. The named extensions are PKIX extensions for serverAuth
(OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID
1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant).

Also if a client certificate is used on Windows with EAP-TLS the
extendedKeyUsage "Microsoft SmartCard Logon" (OID 1.3.6.1.4.1.311.20.2.2)
*must not* be present because Windows won't be able to use/choose such a
client certificate to authenticate at the RADIUS server.

It is only Windows that is looking at these extededKeyUsages in the
certificate and expecting the correct extensions here.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070427/5b74991e/attachment.bin>


More information about the Freeradius-Users mailing list