Re: WPA2 setup Certificate problems

[Mike Diggins]

Thanks. One other thing I didn't understand is if the certificate had to 
be for the radius server host itself (i.e. certificate name matches the 
radius server name), or can I use the same certificate on both my radius 
servers? Right now I'm experimenting with a certificate that is from a 
different server. In my Windows settings I select the validate 
certificate option, type in the common name from the certificate into 
the "Connect to these servers" field, then select the Trusted Root 
Certification Authority that matches the cert. That isn't working though.

-Mike

On 04/02/2010 1:06 PM, Mark Duling wrote:
Mike,

The problem is a general problem and not unique to FreeRadius.  We had the
same problem for Windows (and not with Mac) with another radius vendor
(radiator) but we were able to work around it easily because we use an
installation wizard called XpressConnect from Cloudpath that automates
making wireless settings.  What you need to do is check the "validate server
certificate" box in the win wireless setup and then in the "Connect to these
servers" check box immediately below enter in the radius hostname.

I had done some research at the time and satisfied myself that there wasn't
anything else I could do, but I can't remember all the details now and I
don't recall hearing about "XP Extensions" for certs at the time FWIW.

Mark



On 2/4/10 9:26 AM, "Mike Diggins"<mike.digg...@mcmaster.ca>  wrote:

I saw that but wasn't sure if it was a general problem or a FreeRadius
specific problem. Has anyone else had to obtain a "special" certificate
to make Windows WPA work? I have a feeling I'm going to get a blank
stare if I ask for that ;)

-Mike

On 04/02/2010 12:12 PM, Bruce Hudson wrote:
Slightly off topic, but I'm trying to configure FreeRadius V2 to work
with the Cisco Wireless Lan Controllers using WPA2. I'm running into
trouble with Windows clients. If I configure them NOT to verify the
certificate from the Radius Server, it connects. As soon as I configure
the "Verify Certificate" option, it fails. The Diagnostic seems to
indicate that it doesn't trust the certificate from the Radius Server,
which is a CA signed Verisign cert. A Mac client presents the
certificate on login, and I can either accept it or not. Windows isn't
doing that, it just fails.

      The README file in FreeRadius certs directory includes the following
statement:

    The Microsoft "XP Extensions" will be automatically
included in the server certificate.  Without those
extensions Windows clients will refuse to authenticate
to FreeRADIUS.

I would guess that the certificate you got from Verisign does not include
the extensions. If you figure out how to get them, please let me know.
Dealing through our local certificate maintainer, I never could get an
answer (or clear indication they knew what I was asking for).
--
Bruce A. Hudson    | bruce.hud...@dal.ca
ITS, Networks and Systems  |
Dalhousie University   |
Halifax, Nova Scotia, Canada  | (902) 494-3405
<<attachment: mike_diggins.vcf>>