question about windows users

Ivan Kalik tnt at kalik.net
Wed May 20 13:14:30 CEST 2009


> next I made client certificate (using standard scripts)
> #cd /etc/freeradius/certs
> #make client
> and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer
> Travel Mate 380
> certificates installed in Trusted Root CA and Personal storages (I deleted
> all previous certs on that system)
>
> I still have a problem - described in prvious post
>>exclamation mark on client certificate:
>>"windows does not have enough information to verify this certificate"
>>"you have private key that corresponds to this certificate"
>>http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu
> but I am frightened to make any changes without your permision in
> /etc/freeradius/certs/Makefile, and evethough I have your permission I
> still
> dont know what to change

Yes, we have been through this before. Change mak clients in Makefile, so
that it uses ca and not server certificate to sign client certificates. I
would create changes and save them as Makefile.CA. Perhaps that can be
added into the distribution, so you would just rename Makefile to
Makefile.old and Makefile.CA to Makefile in order to make this switch (and
add comments about that in README file).

> I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I
> did
> not find what to change in this file

Because that's openSSL stuff, not Freeradius. If you don't know what to
change, I will post this file overnight, when I have a bit more time.

> Ivan write:
>>Use your own domain. For EAP-TLS - no modification needed. I have seen
>> you
>>going on about PEAP as well. If those users are also using format
>>user at your_domain, then create local realm your_domain - it won't
>> interfere
>>with EAP-TLS and will create Stripped-User-Name that can be used for
>>authentication.
> I dont want to have a domain yet,
> no usernames, no password for usernames, no proxies, no domains at all

Yet:

>         User-Name = "user at example.com"

you created the user with the domain. As I said previously, there are
preset example files in the default configuration. You need to alter
clent.cnf and enter details for your test user without the domain in the
name. If you need guidance about altering those files you should look it
up on openSSL site.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list