Win XP with 802.1x PEAP (EAP-MSCHAP V2)

Marc Charbonneau mcharbonneau at ottawaheart.ca
Sat Apr 28 14:46:46 CEST 2007


This incorrect password issue was solved once the proper server
certificate was used by FreeRADIUS' EAP.conf file.
 
Thanks for all you help!
Marc
 
Solution to get correct cert to work with Windows XP SP2 supplicant:

1) From Linux box:
>openssl genrsa -des3 -out server1.key 2048
You will be prompted for password, this server1.key and the password
assigned are used in "eap.conf" file.
>openssl req -new -key server1.key -out server1.csr
 
2) Get "server1.csr" to a Windows workstation that will reach the
Microsoft 2003 CA.  Easiest way might be to use FTP.
The URL to our CA is:  http://10.10.10.10/certsrv 

3) On Web access to CA:
- click "Request a Certificate"
- click "Advanced certificate request"
- click "Submit a certificate request by using a base-64-encoded CMC or
PKCS #10 file, or submit a renewal request by using a base-64-encoded
PKCS #7 file."
- click "Browse for a file to insert." and browse to "ohisles1.csr"
then click "READ" button.
- select "Web Server" for certificate template and click "Submit"
- keep "DER encoded" selected then click "Download certificate", save
file as server1.cer

4) Get this file "server1.cer" back to Linux server with FTP
 
5) Issue OpenSSL command
>openssl x509 -inform DER -in ohisles1.cer -out ohisles1.pem
- update "eap.conf" to point to this server certificate.

6) Use same OPENSSL command on the CER file of the root certificate
from the Microsoft CA to convert it to PEM format.  Use this root
certificate, we named it "root.pem" and point to it in the "eap.conf"

7) FreeRADISU with:
>RADIUSD -X

8) Windows XP supplicant should work fine.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070428/cef38019/attachment.html>


More information about the Freeradius-Users mailing list