need help - force EAP-TTLS to validate the server certificate

Danner, Mearl jmdanner at samford.edu
Tue Sep 21 17:56:45 CEST 2010


Not possible with the Microsoft supplicant as far as I know. PEAP encapsulation doesn't support client certificates.

Probably what you want is EAP-TTLS which is not supported by Microsoft. You'll need a third party supplicant for it.

Might look at this for reference:

http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol



-----Original Message-----
From: freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of Klaus Laus
Sent: Tuesday, September 21, 2010 10:30 AM
To: FreeRadius users mailing list
Subject: Re: RE: need help - force EAP-TTLS to validate the server certificate

A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again



-------- Original-Nachricht --------
> Datum: Tue, 21 Sep 2010 08:02:27 -0500
> Von: "Danner, Mearl" <jmdanner at samford.edu>
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: RE: need help - force EAP-TTLS to validate the server certificate

> EAP/PEAP  requires a server certificate. You can opt for the M$ supplicant
> to verify it but it does not use a client certificate.
> 
> That's why there is no option to pick the client cert when setting up
> PEAP.
> 
> -----Original Message-----
> From: freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org
> [mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org]
> On Behalf Of Klaus Laus
> Sent: Tuesday, September 21, 2010 5:17 AM
> To: FreeRadius users mailing list
> Subject: Re: need help - force EAP-TTLS to validate the server certificate
> 
> The message is clear. Yes I created a client certificate and imported it
> into the client. 
> When I use TLS to connect to the freeradius server I can choose the client
> certificate in the TLS dialog and the client can login successfully.
> 
> When I use PEAP to login I have to type in my username and password in the
> PEAP dialog from windows but I can not select a client certificate, the
> certificate is imported successfully in the windows certificate manager.
> Should I be able to choose a client certificate in the PEAP dialog or
> should it work when the certificate is saved in the windows certificate manager
> and I only have to type in my username and password in the PEAP dialog? 
> 
> I want to allow only PEAP logins (or username/password logins) with client
> certificate. 
> 
> 
> 
> -------- Original-Nachricht --------
> > Datum: Tue, 21 Sep 2010 09:33:29 +0200
> > Von: Alan DeKok <aland at deployingradius.com>
> > An: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> > Betreff: Re: need help - force EAP-TTLS to validate the server
> certificate
> 
> > Klaus Laus wrote:
> > > I tried to login from another client, but it´s the same problem.
> > > 
> > > TLS Alert write:fatal:handshake failure
> > > TLS_accept:error in SSLv3 read client certificate B
> > > rlm_eap: SSL error error:140890C7:SSL
> > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> > > SSL: SSL_read failed in a system call (-1), TLS session fails.
> > 
> >   That message should be clear.  The supplicant didn't send a client
> > certificate.
> > 
> >   Did you create a client certificate?
> > 
> >   If so, did you copy it to the client?
> > 
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> -- 
> GRATIS: Spider-Man 1-3 sowie 300 weitere Videos!
> Jetzt freischalten! http://portal.gmx.net/de/go/maxdome
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
GRATIS: Spider-Man 1-3 sowie 300 weitere Videos!
Jetzt freischalten! http://portal.gmx.net/de/go/maxdome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list