AW: EAP-TLS with Client Cert, with Key Usage "EAP over Lan"

Dominik.A.Schorpp at ids.de Dominik.A.Schorpp at ids.de
Mon Dec 19 17:18:42 CET 2016


Hello,

>   Follow the EAP guide at:  http://deployingradius.com
> 
>   It WILL work.

I have no doubt that it will not work if I follow the Guide.


> > My Problem is the usage of the "X509v3 Extendend Key Usage" in the
> Certificate of the Client.
> > If I use at the Client a Certificate with the "X509v3 Extendend Key
> Usage" : "TLS Web Server Authentication, TLS Web Client Authentication"
> the 802.1x Authentication with EAP-TLS is running Fine.
> 
>   You shouldn't need all that.
> 
>   The files in raddb/certs will create client certificates that work.
> Please use them.
> 

I have now created a Client Certificate with the makefile in "raddb/certs", and the Certificate has the "Extended Key Usage" "TLS Web Client Authentication".
As I said, a Certificate which I created by myself via "xca" and with the "Extended Key Usage" "TLS Web Server Authentication, TLS Web Client Authentication" has worked already properly.
But the Final Setup will be running with Certificates which are not created by us, the Certificate will be coming from a Customer CA.

> > BUT I have the constrain that the Certificate on the Client is
> without "TLS Web Client Authentication" because there running absolute
> no Client Applications, the Device is running only some Server
> Applications.
> >
> > So I tried to Use on the Client a Certificate with the "X509v3
> Extendend Key Usage" : "TLS Web Server Authentication, EAP over Lan".
> But unfortunately the 802.1x Authentication with EAP-TLS did not work.\
> 
>   Well... use the scripts included with FreeRADIUS.  There's just no
> reason to *ignore* them.

Ok, so I think with the test with Certificates created from "raddb/certs" I have know not ignored the Scripts.

Know with the knowledge that this Certificate has also the "Extended Key Usage" "TLS Web Client Authentication" I conclude for my first Question:

> My Question is know which "X509v3 Extended Key Usage" are mandatory for
> the Certificate on the Device?

That the "Extended Key Usage" "TLS Web Client Authentication" is Mandatory.

But there is still my second Question, now mostly for interest.

> And why is it not enough that the "X509v3 Extended Key Usage" has "EAP
> over LAN" in it?

Thanks
Dominik


More information about the Freeradius-Users mailing list