EAP-TLS with Client Cert, with Key Usage "EAP over Lan"
aland at deployingradius.com
Mon Dec 19 16:26:38 CET 2016
On Dec 19, 2016, at 10:13 AM, <Dominik.A.Schorpp at ids.de> <Dominik.A.Schorpp at ids.de> wrote:
> I have trouble to get 802.1x Authentication with EAP-TLS properly running.
Follow the EAP guide at: http://deployingradius.com
It WILL work.
> My Setup is the following:
> Server: FreeRADIUS Version 2.2.5, for host i586-pc-linux-gnu, built on Oct 24 2014 at 04:18:43
> Switch: A NEXANS iSwitch G 1043E
> Client/Device: Yocto based Linux with wpa_supplicant v2.4
> My Problem is the usage of the "X509v3 Extendend Key Usage" in the Certificate of the Client.
> If I use at the Client a Certificate with the "X509v3 Extendend Key Usage" : "TLS Web Server Authentication, TLS Web Client Authentication" the 802.1x Authentication with EAP-TLS is running Fine.
You shouldn't need all that.
The files in raddb/certs will create client certificates that work. Please use them.
> BUT I have the constrain that the Certificate on the Client is without "TLS Web Client Authentication" because there running absolute no Client Applications, the Device is running only some Server Applications.
> So I tried to Use on the Client a Certificate with the "X509v3 Extendend Key Usage" : "TLS Web Server Authentication, EAP over Lan". But unfortunately the 802.1x Authentication with EAP-TLS did not work.\
Well... use the scripts included with FreeRADIUS. There's just no reason to *ignore* them.
More information about the Freeradius-Users