I resolved this issue. The problem was that I had not included the xpextensions when making the certificate. I got errors when initially trying to use CA.all and instead of investigating the errors further I decided to build a CA root and server cert manually, which did not include the xpextensions.
My configuration is working so well now that I've stop using the -X option to watch the output. As usual however, my success has resulted in additional questions that I'd appreciate some help with. 1) What is an "OID"? Nice buzz word that I see referenced in numerous web pages but no definition. What is the purpose of the data in the xpextensions file? Do all CA's use it when signing certificates, or is this specific to freeradius? 2) I notice now that the certificate validation is working that I no longer am prompted to enter my username and password. Even after rebooting the WinXP computer, the connection to freeradius occurs automatically. I suppose this might be convenient in some circles but it's also a security risk in that if someone were to borrow my computer they would not be challenged before getting access to the network. Does anyone know where WinXP stores this info and if it can be configured to always prompt for user/pass? Thanks, Jon > >FreeBSD V5.3 >FreeRadius V1.0.2 >Windows XP Supplicant >Dlink 2100 Access Point >Dlink G132 USB Wireless Adapter >self-signed server certificates using openssl v0.9.7e > >The radiusd -X command shows no errors on startup. > >I'm having problems authenticating when using the "validate server certificate" >option in the WinXP PEAP configuration menu. If I don't validate the server >certificate I can connect to the radius server just fine. Someone else ran >into a similar problem (freeradius-users/2004-September/036349.html) claiming >the problem was "usage attributes accompanying the cert". I don't know what >this means. I created my certs according to directions from >austux.net/resources/network/eaptls.html > >The entire log is include below, but the relevant part seems to be the >following section. I'm assuming "validating" the certificate is a good >thing and an option I want to include in my WinXP configuration. My root >CA installed fine on the WinXP machine. Can anyone give me some guidance >on this issue? > > > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied >TLS Alert read:fatal:access denied >rlm_eap_peap: No data inside of the tunnel. > rlm_eap: Handler failed in EAP/peap > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 53 >modcall: group authenticate returns invalid for request 53 >auth: Failed to validate the user. > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
