Re: eap-ttls failing

Tue, 27 Jan 2009 07:10:38 -0800 

Josh Hiner wrote:

t...@kalik.net wrote:

Whoops, I thought I solved this but I didnt. I tried setting up eap-tls
on a few different laptops each using windows xp to configure eap-tls
(not the wireless card client). I get the same results there. I have
nothing in my /etc/raddb/users file. I tried putting:
josh Auth-Type := eap
   Auth-Type := Accept


Don't do that. Don't force Auth-Type. It's not going to help and it
will break everything else.


 

On the XP client I also notice that even though I have the Certificate
Authority installed, the client certificate reports: Windows does not
have enough information to verify this certificate.

I figured that the certificate chain was broken. As a test, I imported
the server certificate and stuck it in the Trusted root authorities
section. This completed the chain (since the client cert was signed off

the server cert which is what the make client does in 
/etc/raddb/certs).

But, of course, the server cert is not meant to be a cert authority so
windows xp complains about this.

    


That is the problem. Windows won't recongnize server certificate as
intermediate ca any more. The "cure" is to try signing client
certificates with ca certificate instead. I have posted to the list an
altered Makefile with make caclient.pem command added a few days ago. If
you can't find it I will post another one this evening.

Ivan Kalik
Kalik Informatika ISP

  

I did find the Makefile. Thanks! I tried to do a make caclient.pem but 
it threw this error:



openssl req -new  -out caclient.csr -keyout caclient.key -config 
./client.cnf

Generating a 2048 bit RSA private key
...........+++
.......+++
writing new private key to 'caclient.key'
-----

openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr  -key 
`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out 
caclient.crt -extensions xpclient_ext -extfile xpextensions -config 
./client.cnf

Using configuration from ./client.cnf
wrong number of fields on line 1 (looking for field 6, got 1, '' left)
make: *** [caclient.crt] Error 1


I dont need to re-do my CA and server cert prior to making the client 
certs do I?

Ha, never mind. My index.txt file was messed up. -josh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to