t...@kalik.net wrote:
Whoops, I thought I solved this but I didnt. I tried setting up eap-tls
on a few different laptops each using windows xp to configure eap-tls
(not the wireless card client). I get the same results there. I have
nothing in my /etc/raddb/users file. I tried putting:
josh Auth-Type := eap
Auth-Type := Accept
Don't do that. Don't force Auth-Type. It's not going to help and it
will break everything else.
On the XP client I also notice that even though I have the Certificate
Authority installed, the client certificate reports: Windows does not
have enough information to verify this certificate.
I figured that the certificate chain was broken. As a test, I imported
the server certificate and stuck it in the Trusted root authorities
section. This completed the chain (since the client cert was signed off
the server cert which is what the make client does in /etc/raddb/certs).
But, of course, the server cert is not meant to be a cert authority so
windows xp complains about this.
That is the problem. Windows won't recongnize server certificate as
intermediate ca any more. The "cure" is to try signing client
certificates with ca certificate instead. I have posted to the list an
altered Makefile with make caclient.pem command added a few days ago. If
you can't find it I will post another one this evening.
Ivan Kalik
Kalik Informatika ISP
I did find the Makefile. Thanks! I tried to do a make caclient.pem but
it threw this error:
openssl req -new -out caclient.csr -keyout caclient.key -config
./client.cnf
Generating a 2048 bit RSA private key
...........+++
.......+++
writing new private key to 'caclient.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key
`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt
-extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
wrong number of fields on line 1 (looking for field 6, got 1, '' left)
make: *** [caclient.crt] Error 1
I dont need to re-do my CA and server cert prior to making the client
certs do I?
Here is my client.cnf. Its almost as if it doesnt understand that it
needs to take the values from [ CA_default ]
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/server.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/server.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 7300
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
localityName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = client
default_bits = 2048
input_password = <hidden>
output_password = <hidden>
[client]
countryName = US
stateOrProvinceName = Michigan
localityName = Hancock
organizationName = REMC1
emailAddress = supp...@remc1.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
