>> You have to install the ca certificate and the client certificate on the
>> client-computer, why should client cert by signed from the server cert?
>
> Because the idea is to authenticate those users to *that* server, not to
> *every* server that got the certificate from that CA. With your a
>You have to install the ca certificate and the client certificate on the
>client-computer, why should client cert by signed from the server cert?
Because the idea is to authenticate those users to *that* server, not to
*every* server that got the certificate from that CA. With your approach
the
@Arran Cudbard-Bell
> / Is the prefix and suffix to the regular expression string. Any
> characters after the / suffix are used as modifiers. FreeRadius only
> supports the i modifier to make matches case insensitive.
>
> resolves to a literal back-slash. Regular expressions use the \ char
Stefan Puch wrote:
@Arran Cudbard-Bell
> Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape to
one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
literal in the regular expression...
@Arran Cudbard-Bell
> Write a regular expression to strip off the proceeding \
> Heres one I did earlier If I remember correctly it's to escape to
> one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
> literal in the regular expression...
I'm not so familiar with
> For using EAP-TLS with the Windows Mobile devices I still have to solve
> one
> problem, which I think would be no problem for you, the problem with the
> username of the devices.
>
> If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a
> working configuration, but finally
Stefan Puch wrote:
@Alan DeKok
I'll bet that if you posted the final Access-Accept from 1.1.7 and from
2.0.1, that they would be *different*. If you make them the same, I'll also
bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an e
@Alan DeKok
> I'll bet that if you posted the final Access-Accept from 1.1.7 and from
> 2.0.1, that they would be *different*. If you make them the same, I'll also
> bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
"default"-fi
Jeffrey Hutzelman wrote on 04.02.2008 00:43:
> --On Thursday, January 31, 2008 05:42:50 PM +0100 "Reimer Karlsen-Masur,
> DFN-CERT" <[EMAIL PROTECTED]> wrote:
>
>> If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your
>> client certificates they might not work with Windows build-
--On Thursday, January 31, 2008 05:42:50 PM +0100 "Reimer Karlsen-Masur,
DFN-CERT" <[EMAIL PROTECTED]> wrote:
If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your
client certificates they might not work with Windows build-in supplicant.
This is not surprising, if that is the
>
> The first question I would like to get an answer for is: Which certificate
> is
> needed to sign the client certificate, the CA certificate or the server
> certificate?
It's nonsense, that the server certificate signs the client certificate... it
must be signed by the ca certificate.
Sebas
Stefan Puch wrote:
> - running "bootstrap" creates ca.pem, server.pem, dh and random which are used
> with the radius server (server.pem is signed with ca.pem)
>
> - running make client.pem creates a client certificate which is signed by the
> server certificate (in my opinion that cannot work
Stefan Puch wrote on 01.02.2008 09:57:
> @Reimer Karlsen-Masur
>> If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client
>> certificates you could work around this by disabling the trust setting of
>> valid certificate usage "Microsoft Smartcard Logon" in the CAs properties i
@Reimer Karlsen-Masur
> If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client
> certificates you could work around this by disabling the trust setting of
> valid certificate usage "Microsoft Smartcard Logon" in the CAs properties in
> Windows build-in certificate store on th
Stefan Puch wrote:
> Therefore the Makefile is used in the same directory. I'm not really sure, but
> in Line 93 where the "client.pem" is created it must be
> -passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER)
Thanks. I've fixed that.
> It would also be helpful to inte
Stefan Puch wrote on 31.01.2008 17:05:
> Hello again,
...
> @Reimer Karlsen-Masur
>> We know of problems with EE certificates in PDAs containing the
>> "non-repudiation" flag.
If the "non-repudiation" keyUsage *is part* of your client certificates they
might not work with some PDAs build-in supp
Hello again,
@Alan DeKok
> But I would first suggest trying to use the test certificates that come with
> 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that
> there is something special about the certificates you're using.
I tried to generate some test certificates using the
Hello everyone,
I've got some problems with the new version of freeradius, but before I'm going
to open a new bugreport or post long debugtraces from "radiusd -X" I want to ask
here if someone else has made similar experiences.
I've set up a freeradius server version 1.1.7 in our club to authenti
Stefan Puch wrote:
> Then some people came with their mobile devices which are running Windows
> Mobile
> 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began.
> The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't
> work on e.g. Windows Mobile 6 P
Stefan Puch wrote on 30.01.2008 11:13:
> Hello everyone,
>
> I've got some problems with the new version of freeradius, but before I'm
> going
> to open a new bugreport or post long debugtraces from "radiusd -X" I want to
> ask
> here if someone else has made similar experiences.
>
> I've set
Stefan Puch wrote:
>> Then some people came with their mobile devices which are running Windows
>> Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the
>> problems began. The same EAP-TLS certificate which worked fine on a Windows
>> XP machine doesn't work on e.g. Windows Mobile
21 matches
Mail list logo
