Re: EAP/TLS problem solved (almost...)
you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur Antti Mattila wrote: I tried certificates from Adam Sulmicki's cert.tgz packet. I set the server date to 28.2 and on the laptop to 28.2. (the certificate is valid from and expires on that day). And the EAP/TLS authentication worked! I finally got: Sending Access-Accept of id 50 to 194.142.202.102:6001 MS-MPPE-Recv-Key = 0x60b16b18235e7a9fde64aabf7ddb3248540cb7dcaff967454af4c39270ae1607 MS-MPPE-Send-Key = 0x7236809f4cc3667478644304136783a2604a5a3607d9215f279aa97edcfeac2c EAP-Message = 0x03090004 Message-Authenticator = 0x But the certificate problem still remains. The certificate generated with the script which came from Freeradius package says on the w2k machine(on the certificate path):"The certificate has a non-valid digital signature" I think this is the problem. The Adam's certificate seems fine on the computer. We will try different OpenSSL versions (we used the versions required in Ken Roser's guide, the SNAP was of course newer) but if this doesn't work we'll try to generate the certificates with Novell Certificate server that we are using. If it doesn't produce certificate files needed for Freeradius we need to buy somebody to make the certificates with OpenSSL for us. Fortunately the certificates must be generated only once. So if we get a working certificate set we don't have to buy a consultant to do the stuff ever again. Best regards: Antti Mattila - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
>you can DEFINITLY use openssl in order to produce valid certificates, >both for windows AND freeradius (which uses openssl). > >the certification path is not valid probably because the root >certificate which you installed under windows expired. > > >ciao >artur I know that many people have managed to get working certificates for Freeradius with OpenSSL and more importantly with the same exact script I'm using. I wonder what could go wrong maybe it is the OpenSSL version. My own generated certificate has valid date as of today and expires after 3 years. Windows 2000 shows it correctly under Authentication tab which it doesn't do if the certificate has expired. Well have to keep trying, and if I don't get it working we'll have to use somebody else. After all I'm just a 21 year old summer worker ;-) Best re - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
that's why i'm trying to reassure you. it probably has nothing to do with the version of openssl. every suite has to produce compliant certificates. the certificate format is mandated by its form. just verify all the certificates you installed. it's a small error somewhere. ciao artur Antti Mattila wrote: you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur I know that many people have managed to get working certificates for Freeradius with OpenSSL and more importantly with the same exact script I'm using. I wonder what could go wrong maybe it is the OpenSSL version. My own generated certificate has valid date as of today and expires after 3 years. Windows 2000 shows it correctly under Authentication tab which it doesn't do if the certificate has expired. Well have to keep trying, and if I don't get it working we'll have to use somebody else. After all I'm just a 21 year old summer worker ;-) Best re - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html