Re: HELP: EAP/TLS - XP

Fri, 31 Jan 2003 03:26:48 -0800

hi philip


thanks for the point, david probably just has to check the extensions and other things. however, it seems that the server certificate isn't accepted, not the client certificate.

something has to be wrong, since in my case, too, it worked fine with cisco and orinoco equipment, since the 0.5 fr release, so...

ciao
artur


Philip Blow wrote:
David, Artur,

This problem appears to be caused by having the Server Authentication
and
Client Authentication properties set in the certificate. If you disable
all
extended certificate properties except the Client Authentication in the
Client certificate on the XP machine the EAP authentication should work.

It worked for me via both Symbol and Orinoco APs with certificates that
I generated with the OpenCA certificate authority.

Cheers,

Philip Blow
Senior Technical Manager
Simply Wireless
[EMAIL PROTECTED]



hi David

ok, it's good news then... if you followed exactly the steps, it
should 
work fine.

to find the error, just put the same certificate which is available at
the server side on your XP machine and open it using the crypto extensions (double-click). XP should say you what is missing. the most
probable error would be imho an expiration date. the second possible would be the forgotten extension (as already said, both errors should not be there if you followed exactly the script, but still, check it).


check the availability of the private key, check the certification
path, 
XP should know the signing CA (meaning that the cert is signed by the
CA 
whose certificate is installed under certification authorities).

regards,
artur


David Baer wrote:


The problem has been partially solved (or let's say:  narrowed).
Somehow the server's certificate is not accepted by the



XP-supplicant.




If the "Validate server certificate" check box is unchecked, the





authentication




succeeds. To leave the server's certificate unvalidated is not very





desirbale though.




I used the script by Ken Roser





(http://www.freeradius.org/doc/EAPTLS.pdf) to generate 



the certificates. 
Any idea what I could have done wrong with the server's certificate?

david





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html























					Reply via email to