client certs

Jason Wittlin-Cohen jwittlincohen at gmail.com
Thu Dec 11 03:36:11 CET 2008 

Craig,

Have you tried authenticating with the same certificate from a different
computer, or using a different supplicant? The XP supplicant is pretty
awful. If you have an Intel card, you can download the Intel PROset software
for free which has more features than XP's supplicant, supports more
authentication options, and tends to work better. My personal favorite is
Juniper's Open Access client. Juniper has a 30-day trial if you want to test
to see if that solves your problems.

In addition, I find that if the sever is down while a client tries to
connect, I have to refresh the settings on the AP, restarting the wireless,
or the RADIUS server will show no activity at all. Restarting Windows or
repairing the wireless connection doesn't help as it appears to be an issue
with the AP. So, if you had the the RADIUS server down for even a short
while, try restarting the AP.

You can also see if there's a valid certificate chain. Start > Run "mmc".
File > "Add Snap-In". Add "Certificates". Choose "My User". You should see a
"Certificates - Current User" tree. Expand it, then open Personal >
Certificates. You should see your certificate in the list. Double click the
certificate and check the "Certificate Path" tab. Certificate Status should
be "OK", and you should see both your client cert and the CA.

If your certificate was signed by the server key and not the CA key,
certificate verification will fail.

Also, run freeradius with "freeradius -X" to check to see whether Windows is
even communicating with the RADIUS server. I was having problems with my
Ubuntu laptop and found it was timing out before even attempting to
authenticate with the RADIUS server due to a driver issue.

Jason

On Wed, Dec 10, 2008 at 9:17 PM, Craig White <craigwhite at azapple.com> wrote:

> On Wed, 2008-12-10 at 19:51 -0500, Jason Wittlin-Cohen wrote:
> > Craig,
> >
> > Apparently Windows automatically sends non-CA certificates in DER or
> > PEM format to the "Other People' certificate store. More importantly,
> > the wireless supplicant in Windows XP \will not work with PEM or DER
> > formatted client certificates. It'll complain that you have no
> > certificate. You must convert to pkcs12 as the documentation states.
> >
> > openssl pkcs12 -export -in certname.pem \
> > -inkey keyname.key -out name.p12 -clcerts
> ----
> Jason
>
> Thanks for the help. Last week when I was generating certificates my own
> way, I was doing that and yes, as Ivan points out, the 'scripted' way
> that make client.pem does make the p12 cert for the client.
>
> My issue now - and obviously sh*t happens as I change things around is
> that with the certificates newly generated and radiusd restarted in
> 'debug' mode, the newly minted ca.der and client.p12 certificates
> installed in their proper homes in 'certificates'
>
> following the instructions here...
> http://wiki.freeradius.org/WPA_HOWTO#Step_4:_Configure_the_Client
>
> I 'repair' or 'refresh' Network Connection (obviously the repair is for
> the Wireless) and it hems/haws and finally says Authentication failed
> but the wireless AP never makes an effort to connect to the radius
> server. Just rebooted the laptop and checked for stale info in regedit
> HKCU\Software\Microsoft\EAPOL (none)
>
> This AP has been talking to the radius server for weeks now (and all day
> today) and authenticating Macintosh and iPhone clients but Windows is
> making me absolutely nuts. The radius server is also authenticating for
> my RRAS server on a Windows server on the LAN...my only issue has been
> Windows laptops  ;-(
>
> At least earlier with my otherwise generated certificates, I could get
> through the AP and to the radius server but now...it's like no one is
> home. The Wireless AP does show my connection but that's it.
>
> I'm very frustrated
>
> Craig
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Jason Wittlin-Cohen
Yale Law School, Class of 2010
jason.wittlin-cohen at yale.edu
(908) 420-0861
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081210/ffcc56f3/attachment.html>

More information about the Freeradius-Users mailing list