> > Since you seem to know something about this, can you either: > > > > A) Explain what the "extended key oid nonsense" is? > > B) Point me to some place I can read about it? > > http://www.freeradius.org/doc/ > > See the EAP-TLS stuff. > > Microsoft requires magic stuff in the server certificate, otherwise > the windows supplicants silently stop talking to the AP.
Ok, I read the document, but I still do not understand something... I am proxying the packets from the Cisco through the FreeRADIUS server to the IAS server. EAP messages are exchanged between the supplicant and the IAS server; the Cisco AP and FreeRADIUS server do not touch them, correct? They just do RADIUS stuff and encapsulate the EAP messages, right? And, if that is the case, then the IAS server and the supplicant are doing all the TLS stuff. The IAS server obviously supports those OID extensions. So, shouldn't the supplicant work properly? I mean, we are not creating a TLS tunnel from the supplicant to the FreeRADIUS server and another from the FreeRADIUS server to the IAS server -- it should be from the supplicant to the IAS server, encapsulated in RADIUS, proxied through the FreeRADIUS server. And, in that kind of setup, the FreeRADIUS server should not be causing any problems, correct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html