FW: Problem with PEAP MS-ChapV2 against AD
Alan DeKok
aland at deployingradius.com
Fri Jan 14 00:26:48 CET 2011
Graham, Robert wrote:
> When I generated the certificates, I created the server key and server
> csr with openssl. I signed the csr with a Windows CA (adding the
> XPextensions) and then converted the DER format to PEM using openssl.
What's wrong with the certificate creation scripts in raddb/certs?
They work...
> I
> verified that the certificate did have the Extended Key Attributes:
>
> [root at radius mycerts]# openssl x509 -text -noout -in radius2.pem shows:
>
> X509v3 Extended Key Usage:
> TLS Web Server Authentication
Which is required, but not sufficient for Windows to work.
> When I try to authenticate, I did not see any errors, but at the end of
> the debug output shows:
>
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
...
> I regenerated the certificates with the same results. Does anyone have
> a clue on what is happening?
Have you tried reading that web page?
It contains detailed instructions. It also contains a pointer to
another web page with step-by-step instructions for debugging PEAP.
This *is* documented.
Alan DeKok.
More information about the Freeradius-Users
mailing list