Problems using EAP-TLS with freeradius version 2

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Wed Jan 30 16:47:08 CET 2008


Stefan Puch wrote on 30.01.2008 11:13:
> Hello everyone,
> 
> I've got some problems with the new version of freeradius, but before I'm going
> to open a new bugreport or post long debugtraces from "radiusd -X" I want to ask
> here if someone else has made similar experiences.
> 
> I've set up a freeradius server version 1.1.7 in our club to authenticate
> several Notebooks. This worked fine with Windows XP, Windows Vista and Linux
> clients using EAP-TLS certificates (many thanks for the good documentation of
> the OIDs in the TLS certificate).
> 
> Then some people came with their mobile devices which are running Windows Mobile
> 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began.

We know of problems with EE certificates in PDAs containing the
"non-repudiation" flag.

Additionally Windows build-in supplicants don't like EE certificates with
the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2)
when doing EAP-TLS.

Apparently the latter issue can also be solved by just disabling the valid
certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted
usages properties on the system.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki

15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080130/92b2c6ac/attachment.bin>


More information about the Freeradius-Users mailing list