Please refer to the message posted below by Dan Carrol. I am trying to eMail Dan directly (as he suggests) but cannot find his email address - Does any body have any ideas?
Thanks, Loris Meadows Manager, ICT Security & Risk Department of Education & Training 2 Treasury Place East Melbourne VIC 3002 AUSTRALIA ------- EAP-TLS: machine authentication Daniel Carroll [EMAIL PROTECTED] Wed, 21 Jul 2004 22:06:18 -0600 ________________________________________ For what it's worth, I encountered a similar problem with EAP/TLS and machine authentication. It turned out that the reason I was having problems was that I had generated my certs in OpenSSL, and OpenSSL was missing one important step that isn't documented on Microsoft's web site about EAP/TLS and machine authentication. I modified OpenSSL (0.9.7d) to add one extra OID to the PKCS#7 keybag attributes holding the client's private key and that solved my problems. Just having this particular OID present was enough to get it working -- it didn't matter what value the OID was set to. The OID was: 1.3.6.1.4.1.311.17.2 In my search on the web for this OID, I found a grand total of ONE useful reference to this OID on the web. From what I can tell, the presence of this OID tells Windows XP that the cert is intended for use by the computer itself, and not by an end-user. The other solution is to use Microsoft's web certificate server to generate these certs. If you want the patch for OpenSSL, let me know and I'd be happy to mail it to you. Please send me the e-mail directly -- mail sent to the list goes into a folder that I only check infrequently. Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education & Training. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html