Problems using EAP-TLS with freeradius version 2

Jeffrey Hutzelman jhutz at cmu.edu
Mon Feb 4 00:43:46 CET 2008


--On Thursday, January 31, 2008 05:42:50 PM +0100 "Reimer Karlsen-Masur, 
DFN-CERT" <karlsen-masur at dfn-cert.de> wrote:

> If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your
> client certificates they might not work with Windows build-in supplicant.

This is not surprising, if that is the only EKU in the cert.  In fact, in 
that situation, no correct server should accept the certificate for 
EAP-TLS, because the presence of any EKU means the certificate may _only_ 
be used for listed usages, and EAP-TLS is not smartcard-based logon.  If 
you want to use a certificate for both purposes, then it must have both 
id-kp-ms-sc-logon and one of anyExtendedKeyUsage (2.5.29.37.0) or [sigh] 
id-kp-clientAuth (1.3.6.1.5.5.7.3.2).  Unfortunately, RFC2716 does not 
discuss the details of certificate validation, but the rules for handling 
extended key usages are the same for all uses of PKIX; for details, see 
RFC3280 section 4.2.1.13.  The replacement for RFC2716 is 
draft-simon-emu-rfc2716bis-13.txt, which was just approved as a Proposed 
Standard in the past week.  It does discuss the details of certificate 
validation for EAP-TLS, in section 5.3.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Carnegie Mellon University - Pittsburgh, PA




More information about the Freeradius-Users mailing list