need help - force EAP-TTLS to validate the server certificate

Danner, Mearl jmdanner at samford.edu
Tue Sep 21 15:02:27 CEST 2010


EAP/PEAP  requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate.

That's why there is no option to pick the client cert when setting up PEAP.

-----Original Message-----
From: freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of Klaus Laus
Sent: Tuesday, September 21, 2010 5:17 AM
To: FreeRadius users mailing list
Subject: Re: need help - force EAP-TTLS to validate the server certificate

The message is clear. Yes I created a client certificate and imported it into the client. 
When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully.

When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager.
Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? 

I want to allow only PEAP logins (or username/password logins) with client certificate. 



-------- Original-Nachricht --------
> Datum: Tue, 21 Sep 2010 09:33:29 +0200
> Von: Alan DeKok <aland at deployingradius.com>
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: need help - force EAP-TTLS to validate the server certificate

> Klaus Laus wrote:
> > I tried to login from another client, but it´s the same problem.
> > 
> > TLS Alert write:fatal:handshake failure
> > TLS_accept:error in SSLv3 read client certificate B
> > rlm_eap: SSL error error:140890C7:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> > SSL: SSL_read failed in a system call (-1), TLS session fails.
> 
>   That message should be clear.  The supplicant didn't send a client
> certificate.
> 
>   Did you create a client certificate?
> 
>   If so, did you copy it to the client?
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
GRATIS: Spider-Man 1-3 sowie 300 weitere Videos!
Jetzt freischalten! http://portal.gmx.net/de/go/maxdome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list