(SOLVED) XP3 EAP-TLS was Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

john lists.john at gmail.com
Fri Jul 17 03:05:40 CEST 2009


On Thu, Jul 16, 2009 at 8:12 AM, Nicolas Boullis<nicolas.boullis at ecp.fr> wrote:
> Hi,
>
> DISCLAIMER: I'm no Windows specialist.
>
> john wrote:
>>
>> I am having a hard time figuring out how to make this work. Where/how
>> does the cert get imported. Do I need to make a registry change in
>> KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
>> to make this work? I hope this is the part someone on the list will
>> have done before and be able to guide me or point me at a howto.
>
> I had a hard time with this as well, and finally succeeded, using
> Windows XP.
> There are many points that matter:
>  * You have to edit your registry to add a "AuthMode" dword key in
>   KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
>   with value 2.
>  * You have to load your certificate and private key in the computer's
>   personal store. I did that with mmc.exe. Note that loading the
>   certificate and private key in a user's personal store and then
>   moving them to the computer's store did not work for me.
>  * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client
>   Authentication" or Windows won't use it.
>  * The username Windows will use is the name in the certificate with
>   "host/" prepended.
>
> Note that things are quite different with Windows Vista.
>
> Hope this helps,
>
> --
> Nicolas Boullis
> Ecole Centrale Paris

Thanks for your very thorough answer Nicolas!

The solution you outline works perfectly for wired clients running
Windows XP SP2. However,more digging showed me that my problem was
specific to Windows XP/SP3.

Windows XP/SP3 doesn't use
KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
to store the value for the AuthMode parameter. Rather it uses an XML
profile which you can export and edit and then re-import. For future
reference for other folks this can be round here
http://support.microsoft.com/kb/929847

I note that this was mentioned in an earlier post to the list
http://lists.cistron.nl/pipermail/freeradius-users/2009-January/msg00723.html
The author then had an identical problem, however he was trying to
troubleshoot the wireless interface.

Ivan or Alan, the information that Nicolas outlined, plus the caveat
for XP3 clients would be REALLY HELPFUL to have on the wiki. It
doesn't look like just anyone can edit it so would one of you be
willing to add something?

Thanks again to all for the help!

John




More information about the Freeradius-Users mailing list