Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Marc Charbonneau
MCharbonneau at ottawaheart.ca
Fri Apr 27 18:59:21 CEST 2007
Hi, it looks like I used a certificate with the wrong OID. I used a
cert minted with their "SubCA" template which doesn't have the (OID
1.3.6.1.5.5.7.3.1).
In "playing" with the Microsoft CA on Windows 2003 server, I've found
that the Certificate made using the "Web Server" template is the one
required. Unfortunately, this particular template doesn't allow the
Certificate's keys to be exported. I tried creating a new Certificate
template by copying from the one called "Web Server" and now, I have a
new "Web Server" template with the ability to export it's keys. The
problem is I can't seem to make use of this new template within their
CA.
I know this is a Microsoft issue but I've looked high and low in their
docs and when you go to their CA and try to select "Certificate Template
to Issue", the new template created are not available. I'm a little
obsessed with making this work so I'm hoping someone here a quick answer
to making Microsoft's CA allow me to mint a Web Server certificate with
exportable keys.
Thanks for any future and previous help,
Marc
>>> karlsen-masur at dfn-cert.de 4/27/2007 4:11:58 AM >>>
Hi.
A.L.M.Buxey at lboro.ac.uk wrote:
> either use your current tool but include the XP extensions as
required,
Just to be precise. The named extensions are PKIX extensions for
serverAuth
(OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID
1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant).
Also if a client certificate is used on Windows with EAP-TLS the
extendedKeyUsage "Microsoft SmartCard Logon" (OID
1.3.6.1.4.1.311.20.2.2)
*must not* be present because Windows won't be able to use/choose such
a
client certificate to authenticate at the RADIUS server.
It is only Windows that is looking at these extededKeyUsages in the
certificate and expecting the correct extensions here.
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40
808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE
232129737
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070427/b6a4accc/attachment.html>
More information about the Freeradius-Users
mailing list