Re: Problem Using GoDaddy Wildcard Certificate

Hi Thomas, Thomas Simmons wrote on 03.03.2013 03:28: > The certification path for my cert is: My Cert > GoDaddy Secure > Certification Authority > Go Daddy Class 2 Certification Authority > > I added my certificate to the beginning of the chain file provided by > GoDaddy (used cat to ensure no e

Re: Problems using EAP-TLS with freeradius version 2

Jeffrey Hutzelman wrote on 04.02.2008 00:43: > --On Thursday, January 31, 2008 05:42:50 PM +0100 "Reimer Karlsen-Masur, > DFN-CERT" <[EMAIL PROTECTED]> wrote: > >> If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your >> client cert

Re: Problems using EAP-TLS with freeradius version 2

Stefan Puch wrote on 01.02.2008 09:57: > @Reimer Karlsen-Masur >> If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client >> certificates you could work around this by disabling the trust setting of >> valid certificate usage "Microsoft Smartcard Logon" in the CAs properties i

Re: Problems using EAP-TLS with freeradius version 2

Stefan Puch wrote on 31.01.2008 17:05: > Hello again, ... > @Reimer Karlsen-Masur >> We know of problems with EE certificates in PDAs containing the >> "non-repudiation" flag. If the "non-repudiation" keyUsage *is part* of your client certificates they might not work with some PDAs build-in supp

Re: Problems using EAP-TLS with freeradius version 2

Stefan Puch wrote on 30.01.2008 11:13: > Hello everyone, > > I've got some problems with the new version of freeradius, but before I'm > going > to open a new bugreport or post long debugtraces from "radiusd -X" I want to > ask > here if someone else has made similar experiences. > > I've set

Re: How to enable only EAP-TTLS type and not EAP-TLS?

Stefan Winter wrote on 10.01.2008 15:51: > Hi, > >> If the supplicant is not configured that strictly, at the end of the day it >> does not matter if you rolled your own self-signed RADIUS server cert or >> you have a cert with its root CA pre-installed. > > Actually, It's not quite the same: if

Re: How to enable only EAP-TTLS type and not EAP-TLS?

[EMAIL PROTECTED] wrote on 10.01.2008 14:53: > Hi, > >> RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That >> means that no one else can successfully convince the users to send them >> the passwords. > > seconded/thirded. as UK eduroam support I agree that such a closed-lo

Re: How to enable only EAP-TTLS type and not EAP-TLS?

Alan DeKok wrote on 10.01.2008 11:26: > Reimer Karlsen-Masur, DFN-CERT wrote: >> This is definitely more elegant than my suggestion but I found that many >> FreeRADIUS admins get confused by the >> >> CA_file >> CA_path >> >> options. They think tha

Re: How to enable only EAP-TTLS type and not EAP-TLS?

This is definitely more elegant than my suggestion but I found that many FreeRADIUS admins get confused by the CA_file CA_path options. They think that they need to place the CA chain from *their FreeRADIUS servers SSL certificate* in the file/directory specified in above options. But by doing so

Re: How to enable only EAP-TTLS type and not EAP-TLS?

Hi, nikitha george wrote on 09.01.2008 10:04: > Hi, > I want to enable only TTLS authentication and if the client is > requesting any other types EAP-TLS or PEAP the authentication should be > denied. within the eap section you must configure the tls and the ttls section. Delete the peap section.

Re: TLS cant connect ldap+freeradius+novell

Martin G wrote: > Iv found the following on the novellserver (CA-service): > Distinguished name: WIFITREE CA.Security > Host server: NW1.SYSTEM.WIFI Well this looks like the novell ldap server certifivate. > "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? Yes. > I added the info

Re: TLS cant connect ldap+freeradius+novell

Hi. Martin G wrote: > Subject of the novell-server-certificate is : O = WIFITREE > OU = Organizational CA Well, that looks like the SubjectDN of your Novell CA certificate. You need to put this CA certificate (no the pkcs#12/.p12 or the private key) in PEM format into the file referenced by optio

Re: TLS cant connect ldap+freeradius+novell

Hm. Martin G wrote: > Sorry, when i tried to rehash my certificate, id changed its path, but now > its back and i got a new output from my ldapsearch-command: > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > =adm,ou=malmo,o=wifi "cn=lotta" > ldap_initialize( ldap://10.10.0.11 ) > ldap_start_t

Re: TLS cant connect ldap+freeradius+novell

Hm fiddling with parameters in the FreeRADIUS config files should not change any behavior of ldapsearch. ldapsearch depends on ldap.conf config file. Did you turn on ldap client debugging by setting "loglevel -1" in the ~/.ldap.conf file for the user that is executing ldapsearch? Or if ~/.ldap.co

Re: TLS cant connect ldap+freeradius+novell

Hi. Martin G wrote: > Hello! > > Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv > tried my best to install a radius/ldap linuxserver to pass on > radius-requests from a Aruba-controller to our novell-server. > > IPs: > Novell 10.10.0.11 > Aruba 10.10.0.28 > Linux (f

Re: certificates for TLS Tunnel (peap mschap v2 authentication)

Hi, julien blanc wrote: > hi ! > > I'd like to set up an authentication system (for wireless clients) based > on freeradius. > > I'm using a DC windows 2003 with Active Directory to manage my users and > groups... i know ... its bd :-) but i don't have the choice ! > > I have built a linux

Re: Sending CA certificate during EAP-TLS

Hi, Rafa Marín López wrote: Reimer Karlsen-Masur, DFN-CERT escribió: Hi Karlsen, thanks for the answer, please see inline... Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file. *Trusted* CAs for client auth are stored in CA_file or

Re: Sending CA certificate during EAP-TLS

Hi. Eshun Benjamin wrote: Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. The CA_path folder is empty and the CA_file is commented out.

Re: Sending CA certificate during EAP-TLS

Rafa Marin wrote: Hi Karlsen, 2007/6/20, Reimer Karlsen-Masur, DFN-CERT <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>: Hi, in the file referenced by the option variable "certificate_file" in the tls section only put the server certificate (and

Re: Sending CA certificate during EAP-TLS

Hi, in the file referenced by the option variable "certificate_file" in the tls section only put the server certificate (and optionally the private key) of your RADIUS server. i.e. don't put ca certificates of the chain into that file. I don't know how to prevent the client from sending CA p

Re: Disabling EAP-TLS while keeping EAP-PEAP

Hi, it's very similar to pages 20ff of Eshun Benjamin wrote: sounds interesting can you post your tls section config -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: h

Re: Disabling EAP-TLS while keeping EAP-PEAP

Hi! By commenting the CA_file parameter in the eap->tls section: # CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem *and* by setting CA_path parameter in the eap->tls section to an *empty* directory CA_path = ${raddbdir}/certs/trustedCAs should do the trick. No trusted CAs mean no truste

Wildcard RADIUS-server certificate and rarely used subjectRDN OIDs under 2.5.4.x arc working with Windows PEAP/EAP-TLS? (Was: Re: signed certificate)

Got the requested openssl output via pm. PKIX extendedKeyUsage is set OK. Additionally Netscape Cert Type is set accordingly to EKU. But: It is a wildcard certificate. And the SubjectDN contained among commonly used RDNs (like C, ST, L, O, OU and CN) a view RDNs that are rarely used in certific

Re: signed certificate

Hi, do you mean a RADIUS *Server* certificate? Show us the openssl x509 -noout -text -in your-cert.pem output of your certificate that is currently not working and we can make a guess why it might not working. >From the vendor website I can't workout which keyusage extensions and/or Netscape c

Re: eap-tls authentication with free radius 1.1.5

Hi Anoop, could you *please* fix your quoting! Maybe (handout "Server(Freeadius)-/Client Zertifizierung durch die DFN-PCA - Wie geht das? Was ist zu beachten?" are in German language but the FreeRADIUS config part is ob

Re: EAP-TTLS PEAP MCHAPv2

Hey. Append all intermediate CA certificates onto the end of the file specified with the "certificate_file" option in the eap.conf files eap->tls section. This file usually hold your RADIUS server certificate and can additionally hold the chain certificates as well. Eshun Benjamin wrote: > > I a

Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)

Hi. [EMAIL PROTECTED] wrote: > either use your current tool but include the XP extensions as required, Just to be precise. The named extensions are PKIX extensions for serverAuth (OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID 1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant).

Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)

Hi Marc, are you aware of "PEAP authentication is not successful when you connect to a third-party RADIUS server" http://support.microsoft.com/kb/885453 Maybe it is somehow related? Other updates I installed on XP SP2 for WLAN 802.1x and PEAP/EAP-TLS are Hotfix 917021 (Wireless Client Update)

EAP-TLS: getting updated CRLs via cron for use with check_crl = yes option for EAP-TLS client-authN

Hi, here is a pointer to a useful script I use to fetch updated CRLs for client-certificate issuing CAs from their http CDPs via cron. http://dist.eugridpma.info/distribution/util/fetch-crl/ Just add a restart for the radiusd to make it aware of new CRLs. -- Kind Regards Reimer Karlsen-Masur

Re: Questions regarding authentication systems and protocols to password types compatibility

Thanks Alan! Your answer is raising some more questions though: Alan DeKok wrote: > Reimer Karlsen-Masur, DFN-CERT wrote: >> I appreciate the tables explaining the compatibility of authentication >> systems / protocols to password type compatibility from: > >> But I

Questions regarding authentication systems and protocols to password types compatibility

Hi Alan, hi list, I appreciate the tables explaining the compatibility of authentication systems / protocols to password type compatibility from: [table 1] http://deployingradius.com/documents/protocols/compatibility.html and [table 2] http://deployingradius.com/documents/protocols/oracles.html

Re: problem with freeradius & fedors core 5,6

Hi. Look ( at emails/threads to this list with the Subject: freeradius-1.1.5 : Aborted(core dump) and freeradius + branch_1_1 via cvs ? CVS branch_1_1 is your bet. Fixed it here, too. @ Alan: Are you releasing version 1.1.6 f

Re: CA Chain

Jeffrey Sewell wrote: > Thank you for your reply. > > We are (with the exception of some prototype tests) going to be > completely EAP-TLS. > > Your answer brings me back to my original issue--the CA_path does not > exist in the eap.conf file. If I add it, it doesn't seem to work (on > 1.1.4). H

Re: CA Chain

Jeffrey Sewell wrote: > Than you. > > So if I understand this correctly, radiusd is not looking for a > directory with checksum'd certificates, just one file with all the > certficates in it? Both is possible. CA_path = ${raddbdir}/certs/trustedCAs/ with c_rehash generated fingerprint symlinks

Re: CA Chain

Jeffrey Sewell wrote: > In the eap.conf, tls section, the comments say to use the 'CA_path' > variable in the radiusd.conf file to indicate where the trusted CA > chain will reside. However, this variable isn't in the tls section of > the radiusd.conf file (it is in the LDAP section, but I'm pretty