Generating a Microsoft compatible CSR for FreeRADIUS

Alan DeKok aland at
Thu Jan 20 20:12:41 CET 2011

Sallee, Stephen (Jake) wrote:
> The documentation mentions special OID’s that need to be present for MS
> machines to accept the cert, but I can’t find WHAT those OID’s are so I
> can make sure I include them in the CSR.

  See the files in raddb/certs, or read eap.conf.  It's all there.

> I know the docs also say that it is not best practices to use a publicly
> signed cart because ANYONE can auth against the server, however since I
> am in a position where almost all of the computers will NOT be managed
> by our staff (they are student workstations)  a public cert seems perfect.

  It's not a good idea because anyone can pretend to be the server, too.

> If anyone has another route that will allow me to auth windows clients
> without having to manually install certs and/or manually configuring the
> wireless adapters I would be very grateful to hear your suggestions.

  Not much.  Blame Microsoft for not making it easy.

  Alan DeKok.

More information about the Freeradius-Users mailing list