FW: Problem with PEAP MS-ChapV2 against AD

Alan DeKok aland at deployingradius.com
Fri Jan 14 00:26:48 CET 2011


Graham, Robert wrote:
> When I generated the certificates, I created the server key and server
> csr with openssl.  I signed the csr with a Windows CA (adding the
> XPextensions) and then converted the DER format to PEM using openssl. 

  What's wrong with the certificate creation scripts in raddb/certs?
They work...

> I
> verified that the certificate did have the Extended Key Attributes:
> 
> [root at radius mycerts]# openssl x509 -text -noout -in radius2.pem shows:
> 
>             X509v3 Extended Key Usage: 
>                 TLS Web Server Authentication

  Which is required, but not sufficient for Windows to work.

> When I try to authenticate, I did not see any errors, but at the end of
> the debug output shows: 
> 
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
...
> I regenerated the certificates with the same results.  Does anyone have
> a clue on what is happening?

  Have you tried reading that web page?

  It contains detailed instructions.  It also contains a pointer to
another web page with step-by-step instructions for debugging PEAP.

  This *is* documented.

  Alan DeKok.



More information about the Freeradius-Users mailing list