Reveal MAP escribió:
> But I think this problem do not affect peap because peap do not use
> client certs, you only need to install ca.der into client machine and
> put the passwords
i refer to that:
> so my question is, if the certificate (with server extension) is
missing on the client, could it interfer in EAP-PEAP authentication
success?
yes.
you need a RADIUS cert with the extensions...and if doing proper
PEAP, you need the CA installed on the client too - with 'validate
server certificate' checked and cross-linked (ie you choose
the correct CA in the list!)
alan
really?? it seems to affect PEAP too when freeradius authenticates
against Active Directory.
if i understood well,PEAP authentication need client side a login +
password and server side a certificate in order to the authentication
process to success!
so, which certificate have i to install on client side?
- i did ever try ca.der with no success! 'after an access-challenge,
the request simply stops.
- i am trying sever.crt too, with no more success. i install it in
intermediate authority containeer,but it won't be available in the
list of the wireless manager of xp.
if you have a suggestion, i am open!
----- Message d'origine ----
De : Sergio <[EMAIL PROTECTED]>
À : FreeRadius users mailing list <[email protected]>
Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Reveal MAP escribió:
> HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
> default configuration?
>
> - this bug is suspected to make i can't do EAP-PEAP and affect the CRL
> management too. it's a real problem
>
>
>
> ----- Message d'origine ----
> De : Alan DeKok <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
> À : FreeRadius users mailing list
<[email protected]
<mailto:[email protected]>>
> Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
> Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
> problem with eap-tls)
>
> Sergio wrote:
> > But the debug I posted shows that radius doesn't recognize the
issuer of
> > client cert using default certs. If default certs works and I
don't need
> > to install server.pem and ca.pem into ssl/certs dir, what I'm
forgetting
> > alan?
>
> You need to follow the documentation in eap.conf.
>
> # If CA_file (below) is not used, then the
> # certificate_file below MUST include not
> # only the server certificate, but ALSO all
> # of the CA certificates used to sign the
> # server certificate.
> certificate_file = ${certdir}/server.pem
>
> Have you done that?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------------------------------------------------
> Envoyé avec Yahoo! Mail
>
<http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
>
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
Envoyé avec Yahoo! Mail
<http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
Une boite mail plus intelligente.
Then, you're trying to tell me the following:
installing ca.der and putting user && pass into client machine, the
authentication doesn't work?
you only need ca.der but, if you have an active directory like LDAP,
check if your comunication with AD server also have tls authentication.
Into ldap module you can configurate another tls block, which it's
different than tls block into eap module.
I don't know if it is your problem, but I suppose that comunication
between ldap server and radius can have different certificates, from
different ca's than eap comunication. If it is your problem, I would
check it. also would be good you post de debug of radius to see which
certificate can't validate.
Hasta luego :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
