>We sign our RADIUS cert with a public CA for the same reason as you.

>You will need to make sure that the Certificate Authority that you have sign 
>your CSR adds the extensions.
>The extensions that need to be added are in the file xpextensions in the certs 
>directory of your FreeRadius installation.

>Here they are.

THANKS!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org] On 
Behalf Of Johnson, Neil M
Sent: Thursday, January 20, 2011 1:09 PM
To: FreeRadius users mailing list
Subject: RE: Generating a Microsoft compatible CSR for FreeRADIUS

We sign our RADIUS cert with a public CA for the same reason as you.

You will need to make sure that the Certificate Authority that you have sign 
your CSR adds the extensions.
The extensions that need to be added are in the file xpextensions in the certs 
directory of your FreeRadius installation.

Here they are.

#
#  File containing the OID's required for Windows.
#
#  http://support.microsoft.com/kb/814394/en-us
#
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu>

From: freeradius-users-bounces+neil-johnson=uiowa....@lists.freeradius.org 
[mailto:freeradius-users-bounces+neil-johnson=uiowa....@lists.freeradius.org] 
On Behalf Of Sallee, Stephen (Jake)
Sent: Thursday, January 20, 2011 12:28 PM
To: freeradius-users@lists.freeradius.org
Subject: Generating a Microsoft compatible CSR for FreeRADIUS

I need help generating a Microsoft compatible CSR for my FR server that I can 
get signed by a public CA.

The documentation mentions special OID's that need to be present for MS 
machines to accept the cert, but I can't find WHAT those OID's are so I can 
make sure I include them in the CSR.

I know the docs also say that it is not best practices to use a publicly signed 
cart because ANYONE can auth against the server, however since I am in a 
position where almost all of the computers will NOT be managed by our staff 
(they are student workstations)  a public cert seems perfect.

If anyone has another route that will allow me to auth windows clients without 
having to manually install certs and/or manually configuring the wireless 
adapters I would be very grateful to hear your suggestions.

THANKS!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to