HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
Nicolas Boullis
nicolas.boullis at ecp.fr
Thu Jul 16 17:12:09 CEST 2009
Hi,
DISCLAIMER: I'm no Windows specialist.
john wrote:
>
> I am having a hard time figuring out how to make this work. Where/how
> does the cert get imported. Do I need to make a registry change in
> KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
> to make this work? I hope this is the part someone on the list will
> have done before and be able to guide me or point me at a howto.
I had a hard time with this as well, and finally succeeded, using
Windows XP.
There are many points that matter:
* You have to edit your registry to add a "AuthMode" dword key in
KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
with value 2.
* You have to load your certificate and private key in the computer's
personal store. I did that with mmc.exe. Note that loading the
certificate and private key in a user's personal store and then
moving them to the computer's store did not work for me.
* Your certificate must have "X509v3 Extended Key Usage: TLS Web Client
Authentication" or Windows won't use it.
* The username Windows will use is the name in the certificate with
"host/" prepended.
Note that things are quite different with Windows Vista.
Hope this helps,
--
Nicolas Boullis
Ecole Centrale Paris
More information about the Freeradius-Users
mailing list