Re: WPA authentication works only with MacOS clients

Mon, 16 Oct 2006 22:04:03 -0700 

Message: 5
Date: Mon, 16 Oct 2006 22:36:14 +0200
From: "Josh Shamir" <[EMAIL PROTECTED]>
Subject: Re: WPA authentication works only with MacOS clients
To: "FreeRadius users mailing list"
        <freeradius-users@lists.freeradius.org>
Message-ID:
        <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"

"Hi Jason,
I want to use PEAP.
So I can use PEAP on a WinXP SP2 client without any other supplicant, using
his native supplicant.
The problem is that with native WinXP supplicant the authentication process
failed, and freeradius server give me an error regarding certificates.
The strange thing is that with the same certificates, PEAP works fine with
MacOSx.

Could be a problem of certificates ?
I generate certificates with CA.all.
Any ideas about how generate certificates that works also with MS WixXP
client?"

This is a common problem. Windows XP requires that the server and client 
certificates have specific attributes. This is useful as it prevents a 
main-in-the-middle attack where an authentic client masquerades as a server 
with his client cert.

You need to use Microsoft's Extended Attributes:

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
See http://www.linuxjournal.com/node/8095/print for detailed instructions how to create a server certificate that will work with PEAP and MS clients. The HOWTO is for EAP-TLS which requires client and server certificates. Since you are using PEAP, you just need to create the server certificate. Good luck. 
In particular you'll want to do:

openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config 
./openssl.cnf

openssl ca -config ./openssl.cnf \
-policy policy_anything -out server_cert.pem \
-extensions xpserver_ext -extfile ./xpextensions \
-infiles ./server_req.pem
You'll now have server_cert.pem (Public Certificate) and server_key.pem (Private Key which has no password). The public certificate will have the Server extended key usage extensions set and now your XP client should authenticate.

Attachment: signature.asc
Description: OpenPGP digital signature

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to