EAP-TLS with Client Cert, with Key Usage "EAP over Lan"

Alan DeKok aland at deployingradius.com
Mon Dec 19 17:25:55 CET 2016

On Dec 19, 2016, at 11:18 AM, <Dominik.A.Schorpp at ids.de> <Dominik.A.Schorpp at ids.de> wrote:
>>  Follow the EAP guide at:  http://deployingradius.com
>>  It WILL work.
> I have no doubt that it will not work if I follow the Guide.

  If you don't trust the experts, why are you asking questions on this list?

> I have now created a Client Certificate with the makefile in "raddb/certs", and the Certificate has the "Extended Key Usage" "TLS Web Client Authentication".
> As I said, a Certificate which I created by myself via "xca" and with the "Extended Key Usage" "TLS Web Server Authentication, TLS Web Client Authentication" has worked already properly.
> But the Final Setup will be running with Certificates which are not created by us, the Certificate will be coming from a Customer CA.

  If only there was some documentation on how to create certificates that work...

> But there is still my second Question, now mostly for interest.
>> And why is it not enough that the "X509v3 Extended Key Usage" has "EAP
>> over LAN" in it?

  Ask the people who wrote the client how their client works.

  Alan DeKok.

More information about the Freeradius-Users mailing list