eap-ttls failing

Josh Hiner josh at remc1.org
Tue Jan 27 16:08:44 CET 2009


Josh Hiner wrote:
> tnt at kalik.net wrote:
>>> Whoops, I thought I solved this but I didnt. I tried setting up eap-tls
>>> on a few different laptops each using windows xp to configure eap-tls
>>> (not the wireless card client). I get the same results there. I have
>>> nothing in my /etc/raddb/users file. I tried putting:
>>> josh Auth-Type := eap
>>>    Auth-Type := Accept
>>>     
>>
>> Don't do that. Don't force Auth-Type. It's not going to help and it
>> will break everything else.
>>
>>  
>>> On the XP client I also notice that even though I have the Certificate
>>> Authority installed, the client certificate reports: Windows does not
>>> have enough information to verify this certificate.
>>>
>>> I figured that the certificate chain was broken. As a test, I imported
>>> the server certificate and stuck it in the Trusted root authorities
>>> section. This completed the chain (since the client cert was signed off
>>> the server cert which is what the make client does in 
>>> /etc/raddb/certs).
>>> But, of course, the server cert is not meant to be a cert authority so
>>> windows xp complains about this.
>>>     
>>
>> That is the problem. Windows won't recongnize server certificate as
>> intermediate ca any more. The "cure" is to try signing client
>> certificates with ca certificate instead. I have posted to the list an
>> altered Makefile with make caclient.pem command added a few days ago. If
>> you can't find it I will post another one this evening.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>   
> I did find the Makefile. Thanks! I tried to do a make caclient.pem but 
> it threw this error:
>
> openssl req -new  -out caclient.csr -keyout caclient.key -config 
> ./client.cnf
> Generating a 2048 bit RSA private key
> ...........+++
> .......+++
> writing new private key to 'caclient.key'
> -----
> openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr  -key 
> `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out 
> caclient.crt -extensions xpclient_ext -extfile xpextensions -config 
> ./client.cnf
> Using configuration from ./client.cnf
> wrong number of fields on line 1 (looking for field 6, got 1, '' left)
> make: *** [caclient.crt] Error 1
>
> I dont need to re-do my CA and server cert prior to making the client 
> certs do I?
Ha, never mind. My index.txt file was messed up. -josh



More information about the Freeradius-Users mailing list