-Mike
On 05/02/2010 12:46 PM, Mark Duling wrote:
I don't think a cert for another host would work because the cert has the host's dns name embedded in it so it can check to see if the host is being spoofed. So if you are using a cert from another host it should fail to validate. I am not clear on how the setup should be for redundant radius servers. I presume that each has it's own cert and your NAS (your wireless controller or whatever) just lists both of them (and Windows has both in the "connect to these servers" box) and if the NAS sees one is unreachable then it tries the other one. But I've not actually done this so I could be wrong. Mark On 2/4/10 10:25 AM, "Mike Diggins"<[email protected]> wrote:Thanks. One other thing I didn't understand is if the certificate had to be for the radius server host itself (i.e. certificate name matches the radius server name), or can I use the same certificate on both my radius servers? Right now I'm experimenting with a certificate that is from a different server. In my Windows settings I select the validate certificate option, type in the common name from the certificate into the "Connect to these servers" field, then select the Trusted Root Certification Authority that matches the cert. That isn't working though. -Mike On 04/02/2010 1:06 PM, Mark Duling wrote:Mike, The problem is a general problem and not unique to FreeRadius. We had the same problem for Windows (and not with Mac) with another radius vendor (radiator) but we were able to work around it easily because we use an installation wizard called XpressConnect from Cloudpath that automates making wireless settings. What you need to do is check the "validate server certificate" box in the win wireless setup and then in the "Connect to these servers" check box immediately below enter in the radius hostname. I had done some research at the time and satisfied myself that there wasn't anything else I could do, but I can't remember all the details now and I don't recall hearing about "XP Extensions" for certs at the time FWIW. Mark On 2/4/10 9:26 AM, "Mike Diggins"<[email protected]> wrote:I saw that but wasn't sure if it was a general problem or a FreeRadius specific problem. Has anyone else had to obtain a "special" certificate to make Windows WPA work? I have a feeling I'm going to get a blank stare if I ask for that ;) -Mike On 04/02/2010 12:12 PM, Bruce Hudson wrote:Slightly off topic, but I'm trying to configure FreeRadius V2 to work with the Cisco Wireless Lan Controllers using WPA2. I'm running into trouble with Windows clients. If I configure them NOT to verify the certificate from the Radius Server, it connects. As soon as I configure the "Verify Certificate" option, it fails. The Diagnostic seems to indicate that it doesn't trust the certificate from the Radius Server, which is a CA signed Verisign cert. A Mac client presents the certificate on login, and I can either accept it or not. Windows isn't doing that, it just fails.The README file in FreeRadius certs directory includes the following statement: The Microsoft "XP Extensions" will be automatically included in the server certificate. Without those extensions Windows clients will refuse to authenticate to FreeRADIUS. I would guess that the certificate you got from Verisign does not include the extensions. If you figure out how to get them, please let me know. Dealing through our local certificate maintainer, I never could get an answer (or clear indication they knew what I was asking for). -- Bruce A. Hudson | [email protected] ITS, Networks and Systems | Dalhousie University | Halifax, Nova Scotia, Canada | (902) 494-3405
<<attachment: mike_diggins.vcf>>
