Problems using EAP-TLS with freeradius version 2

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Thu Jan 31 17:42:50 CET 2008 


Stefan Puch wrote on 31.01.2008 17:05:
> Hello again,
...
> @Reimer Karlsen-Masur
>> We know of problems with EE certificates in PDAs containing the
>> "non-repudiation" flag.

If the "non-repudiation" keyUsage *is part* of your client certificates they
might not work with some PDAs build-in supplicants. We found this out by try
and error...

>> Additionally Windows build-in supplicants don't like EE certificates with
>> the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2)
>> when doing EAP-TLS.
> 
>> Apparently the latter issue can also be solved by just disabling the valid
>> certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted
>> usages properties on the system.
> I'm not sure if understand correctly what you want to say to me (I'm stupid :-))
> First I've used TinyCA to generate my certificates, now I will try the Makefile
> provided in the source-code of freeradius. I think the extendedKeyUsage
> "Microsoft Smartcard Logon" should not be set in both variants.

If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client
certificates they might not work with Windows build-in supplicant.

If the "Microsoft Smartcard Logon" extendedKeyUsage *is not part* of your
client certificates this causes less problems with Windows build-in supplicant.

> Or do you mean
> that the extendedKeyUsage "Microsoft Smartcard Logon" must be disabled on the PDA?

If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client
certificates you could work around this by disabling the trust setting of
valid certificate usage "Microsoft Smartcard Logon" in the CAs properties in
Windows build-in certificate store on the PDA.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki

15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080131/1cab41cc/attachment.bin>

More information about the Freeradius-Users mailing list