FreeRadius 2.0.5 AD PEAP
Alan DeKok
aland at deployingradius.com
Mon Aug 18 20:16:47 CEST 2008
Brooks, Kyle wrote:
> There might be a slight miscommunication here these are two separate
> boxes. Our production box is 1.1.7 and this new box 2.0.5
That's nice.
Do the clients have the certificate for the CA that signed the server
certificate? It seems not.
> I have created the certificates using your scripts or openssl and have
> had them signed by our Windows CA. The appropriate OID's are there
> according to the certificate authority.
That's nice. I asked if you were using the *same* certificates. It
seems not.
> Using the same switch connecting to 1.1.7 everything works great, change
> config to 2.0.5 box and I'm stuck at the "server inner-tunnel" Sending
> Access-Challenge.
Yes. I know. You've said that lots.
The problem is that the clients need to know the CA that signed the
server certificate. If they don't, they won't authenticate. This is
how TLS-based EAP methods work. You can read lots of documentation to
understnd why, or you can follow the instructions, use the same
certificates in both servers, and solve the problem in 10 minutes.
So... you've created a configuration for 2.0.5 with *new*
certificates. The clients don't recognize these certificates, so they
stop talking to the server.
The solution is simple. Use the SAME CERTIFICATES in 2.0.5 that
you're using in 1.1.7. I really can't make this any clearer.
Don't use the certificate creation scripts. Don't use new
certificates. Use the SAME CERTIFICATES. It will work.
> I just don't know anymore what more to check. Config files are
> identical as much as possible.
Except for the certificates. I've been trying to tell you that you
need to use the same certificates. Is there anything else I need to say
to convince you to use the same certificates? Please?
Using DIFFERENT certificates is wrong. Using NEW certificates is
wrong. CREATING new certificates is wrong. None of that will work.
Use the SAME certificiates.
Yes, you will use the same certificates on two machines. That won't
cause problems. It WILL solve the problem. The clients WILL be able to
authenticate.
Alan DeKok.
More information about the Freeradius-Users
mailing list