FW: Problem with PEAP MS-ChapV2 against AD

Alan DeKok aland at deployingradius.com
Fri Jan 14 09:37:20 CET 2011

Robert Graham wrote:
> Thanks for the quick response.  The reason I generated my own certs was that
> if we can get 802.1x to work, when we move to production we will want to
> have the certificate signed by our Windows CA.  So I wanted this to be part
> of the test plan.

  That's nice.

  Are you going to test with a method that is *known* to work, or are
you going to ignore the existing documentation, and do it your own way?

> I looked at that webpage at least three times today.  I think I am so glued
> to the issue that the xpextension are missing or wrong, but when I view the
> certificate issued by our CA, it does have the attributes there with an OID
> of for Server Certificate Requirements.

  That is required, but insufficient.

> Are you referring to the Debugging it yourself section?  I am in the process
> of installing screen and going through those steps.

  No.  I'm referring you to "Certificate Compatibility" page, which is
the URL in the huge WARNING messge. Go read it.  It includes a reference
to another page, with STEP BY STEP instructions for configuring EAP.  It
includes documentation on how to create test certificates, how to create
production certificates, and how to gradually go from one to the other.

  It really isn't difficult.  An hour, tops.  *If* you follow instructions.

  If you insist on doing it your own way, well. there's no documentation
for that, and we can't help you.

  Alan DeKok.

More information about the Freeradius-Users mailing list