XP SP3 an EAP-TLS partly solution

tnt at kalik.net tnt at kalik.net
Fri Jan 23 15:16:43 CET 2009

>The certs shouldn't be the problem. On the clients I have a client cert
>with right extended-usage and the server has a server-cert with the
>right attributes. In XP the certmgr says it's for
>Clientauthentification. They worked with SP2. But I also tried to
>install a server-cert with client-extended-usage, also no success. I'am
>a bit worried about the registry-errors in the logs I've posted.

It looks like SP3 will not allow server certificate to be used as
intermediate CA.

>I can't believe that I'am the first one who tried to authenticate an XP
>SP3 machine with EAP-TLS to Freeradius. I mean, XP has a
>market-domincnce of >95% and this problem should also occur if you
>authenticate via WLAN. So there must be a solution and I'am doing
>something terrebly wrong.

Try signing client certificates with the ca certificate. I have included
modified Makefile for 2.1.3. I have added "make caclient.pem" to
produce client certificates and "cleanca" to remove them. Try
importing caclient.p12 created this way onto the user machine (along
with ca.der) and see if they will work with SP3. They should work with
SP2 as well.

Ivan Kalik
Kalik Informatika ISP

>I'd like to hear from at least one person that it works. At the moment I
>believe XP SP3 is incompatible to Freeradius.
> Alex
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Makefile
Type: application/octet-stream
Size: 5636 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090123/ff425202/attachment.obj>

More information about the Freeradius-Users mailing list