We sign our RADIUS cert with a public CA for the same reason as you. You will need to make sure that the Certificate Authority that you have sign your CSR adds the extensions. The extensions that need to be added are in the file xpextensions in the certs directory of your FreeRadius installation.
Here they are. # # File containing the OID's required for Windows. # # http://support.microsoft.com/kb/814394/en-us # [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu From: freeradius-users-bounces+neil-johnson=uiowa....@lists.freeradius.org [mailto:freeradius-users-bounces+neil-johnson=uiowa....@lists.freeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Thursday, January 20, 2011 12:28 PM To: freeradius-users@lists.freeradius.org Subject: Generating a Microsoft compatible CSR for FreeRADIUS I need help generating a Microsoft compatible CSR for my FR server that I can get signed by a public CA. The documentation mentions special OID's that need to be present for MS machines to accept the cert, but I can't find WHAT those OID's are so I can make sure I include them in the CSR. I know the docs also say that it is not best practices to use a publicly signed cart because ANYONE can auth against the server, however since I am in a position where almost all of the computers will NOT be managed by our staff (they are student workstations) a public cert seems perfect. If anyone has another route that will allow me to auth windows clients without having to manually install certs and/or manually configuring the wireless adapters I would be very grateful to hear your suggestions. THANKS! Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
