> Yes. Don't set the client to validate the server certificate. The >server does not currently send its certificate to the client. > > The TLS "howto"s also say not to verify the server certificate.
Thank you! Very good to know. But how come in Ken Roser's Freeradius and XP supplicant on page 5 the picture is with Validate server certificate and it doesn't say anything about Freeradius not sending its certificate to the client. Should I email Roser to add that information? The Validate option gives 4 requests of which the three first give "modcall: group authenticate returns ok" But the last gives:"Invalid ACK" and authentication failed. Ok. From now on I should concentrate on the Validate option unchecked version. It gives me the unknown CA and SSL number 5 error. The problem could be that on the client laptop after I have installed the certificates it says on the personal certificate General page: The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered. Issued to: test Issued by: test Valid from: 12.8.2003 to 11.8.2006 You have a private key that corresponds to this certificate. And on the Details page I have the correct EKU according to Ken Roser's guide(Do I need EKU with windows 2000 SP4?): Enhanced Key Usage: Client Authentication(1.3.6.1.5.5.7.3.2) On the Certification Path I have: This certificate has an nonvalid digital signature. Could this be causing the authentication problems? Ken Roser's picture show the personal certificate to be in order with no error messages on General or Certification Path tab. How could I fix the certificate? I have used the CA.all that came with the Freeradius CVS and I have altered the openssl.cnf to contain my personal info so that I would have to write it every time I make the certificate. The valid days is also set to 1095 both in openssl.cnf and CA.all. I have commented out the passwords in CA.all but if there was something after the password I have added it to the command and only commented the passwords out. So now it asks for the passwords. But I think editing the CA.all couldn't be the problem because I have tried it without any modifications and I still had the same problems. Only thing that I have to change is the SSL=/usr/local/ssl to SSL=/usr/local/openssl because the ssl is in the openssl directory. Otherwise the script won't function at all. So I really don't know what the problem is. If someone has a test certificate package like the Adam Sulmicki's cert.tgz but that is still valid I would like to try one. Best regards and big thanks for Alan DeKok and others for still helping. I will stop annoying you after I get the certs to work ;-) Couldn't be that far away I hope... Antti Mattila -- [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html