Validate server certificate problem

Petar Marinkovic highl1 at gmail.com
Tue Aug 9 20:51:51 CEST 2011


They are, it's part of our default domain policy.

On Tue, Aug 9, 2011 at 20:29, Sallee, Stephen (Jake)
<Jake.Sallee at umhb.edu>wrote:

>  > Windows clients are on the domain, so the user cert and the CA are
> added by default when you join the machine to the domain****
>
> That is true so long as you are using a self-signed cert assigned by your
> enterprise CA.  We had this same issue and we had to manually import the
> cert to get it to work.  Our computers are on a Windows AD Domain.  Hope
> that helps.****
>
> ** **
>
> Jake Sallee****
>
> Godfather of Bandwidth****
>
> System Engineer****
>
> University of Mary Hardin-Baylor****
>
> 900 College St.****
>
> Belton, Texas****
>
> 76513****
>
> Fone: 254-295-4658****
>
> Phax: 254-295-4221****
>
> ** **
>
> *From:* freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org[mailto:
> freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] *On
> Behalf Of *Petar Marinkovic
> *Sent:* Tuesday, August 09, 2011 12:17 PM
> *To:* FreeRadius users mailing list
> *Subject:* Re: Validate server certificate problem****
>
> ** **
>
> Windows clients are on the domain, so the user cert and the CA are added by
> default when you join the machine to the domain****
>
> On Tue, Aug 9, 2011 at 18:29, Sallee, Stephen (Jake) <Jake.Sallee at umhb.edu>
> wrote:****
>
> I believe you need to install the server cert and any intermediate certs on
> the client before the validate server cert option will work.****
>
>  ****
>
> Jake Sallee****
>
> Godfather of Bandwidth****
>
> System Engineer****
>
> University of Mary Hardin-Baylor****
>
> 900 College St.****
>
> Belton, Texas****
>
> 76513****
>
> Fone: 254-295-4658****
>
> Phax: 254-295-4221****
>
>  ****
>
> *From:* freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org[mailto:
> freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] *On
> Behalf Of *Petar Marinkovic
> *Sent:* Tuesday, August 09, 2011 11:16 AM
> *To:* freeradius-users at lists.freeradius.org
> *Subject:* Validate server certificate problem****
>
>  ****
>
> I've set up latest version of FreeRadius from source on Ubuntu, and I
> cannot get EAP-TLS and PEAP to work when the option "Validate server
> certificate" is on. We're using Windows CA to be able to auth users on the
> domain. I saw this old article
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html on
> how to generate server certificate, but that fails for me in both ways****
>
> 1st fails because of a missing template on Windows CA - how to create the
> template to match what freeradius needs?****
>
> 2nd fails with the following error CA certificate and CA private key do not
> match****
>
> 2634:error:0B080074:x509 certificate routines:X509_check_private_key:key
> values mismatch:x509_cmp.c:406:****
>
> That's strange, cause CA cert and CA private key are in the same file (as
> noted in the text) and I didn't mistake the password (since I followed the
> message blindly, with the same password).****
>
>  ****
>
> When I untick the "Validate server certificate" in Windows clients (XP,
> Windows 7) I'm able to connect with both EAP-TLS and PEAP****
>
>  ****
>
> Any help is appreciated, thanks in advance.****
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html****
>
> ** **
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110809/0a6d894f/attachment.html>


More information about the Freeradius-Users mailing list