Hi Everyone,
I've followed Raymond McKay EAP-TLS for FreeRadius
step-by-step at
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
The documentation is excellent and highly recommended
for anyone who would like to setup EAP-TLS with
freeradius server. However, I've run into minor
problem.
When I tried
install the Certificate that I created from the Linux
machine onto
the Windows XP (SP1) machine, I getting an error that
my password
is not correct. Here is the step that I use to create
the certificate
on the Linux server (by running the CA.root, CA.sver
mail, CA.clt winXP)
where mail is the name of the linux server and winXP
is the name
of the WindowsXP SP1:
[root@mail ssl]# pwd
/usr/local/openssl-certgen/ssl
[root@mail ssl]# ls
CA.clt CA.svr demoCA man openssl.cnf
private
CA.root certs lib misc openssl.cnf.orig
xpextensions
[root@mail ssl]# CA.root
*********************************************************************************
Creating self-signed private key and certificate
When prompted override the default value for the
Common Name field
*********************************************************************************
Generating a 1024 bit RSA private key
...........................++++++
...................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some
blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Virginia]:
Locality Name (eg, city) [Herndon]:
Organization Name (eg, company) [micronetsolution]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [Micronetsolution Wireless
Network]:
Email Address [[EMAIL PROTECTED]]:
*********************************************************************************
Creating a new CA hierarchy (used later by the ca
command) with the certificate
and private key created in the last step
*********************************************************************************
*********************************************************************************
Creating ROOT CA
*********************************************************************************
MAC verified OK
[root@mail ssl]# CA.svr mail
*********************************************************************************
Creating server private key and certificate
When prompted enter the server name in the Common Name
field.
*********************************************************************************
Generating a 1024 bit RSA private key
........++++++
.............................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some
blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Virginia]:
Locality Name (eg, city) [Herndon]:
Organization Name (eg, company) [micronetsolution]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [Micronetsolution Wireless
Network]:mail
Email Address [[EMAIL PROTECTED]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from
/usr/local/openssl-certgen/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 15 04:36:56 2002 GMT
Not After : Nov 15 04:36:56 2003 GMT
Subject:
countryName = US
stateOrProvinceName = Virginia
localityName = Herndon
organizationName =
micronetsolution
commonName = mail
emailAddress =
[EMAIL PROTECTED]
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Nov 15 04:36:56
2003 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit?
[y/n]y
Write out database with 1 new entries
Data Base Updated
MAC verified OK
[root@mail ssl]# CA.clt winXP
*********************************************************************************
Creating client private key and certificate
When prompted enter the client name in the Common Name
field. This is the same
used as the Username in FreeRADIUS
*********************************************************************************
Generating a 1024 bit RSA private key
........++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some
blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Virginia]:
Locality Name (eg, city) [Herndon]:
Organization Name (eg, company) [micronetsolution]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [Micronetsolution Wireless
Network]:tranda1
Email Address [[EMAIL PROTECTED]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from
/usr/local/openssl-certgen/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Nov 15 04:37:24 2002 GMT
Not After : Nov 15 04:37:24 2003 GMT
Subject:
countryName = US
stateOrProvinceName = Virginia
localityName = Herndon
organizationName =
micronetsolution
commonName = tranda1
emailAddress =
[EMAIL PROTECTED]
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Nov 15 04:37:24
2003 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit?
[y/n]y
Write out database with 1 new entries
Data Base Updated
MAC verified OK
[root@mail ssl]#ls
CA.clt demoCA mail.pem openssl.cnf
root.p12 winXP.pem
CA.root lib man openssl.cnf.orig
root.pem xpextensions
CA.svr mail.der misc private
winXP.der
certs mail.p12 newcert.pem root.der
winXP.p12
[root@mail ssl]#
As you can see, I have the *.der, *.pem and *.p12 in
the
/usr/local/openssl-certgen/ssl directory. I copy these
files into
/etc/1x/directory. I also ftp the root.der and
winXP.p12 files
over to the winXP machine. Now when I run the
root.der file,
it works; however, when I execute the winXP.p12 file,
it prompts
me for the password just like what you indicated in
the documentation;
however, when I enter the challenge password, it tells
me that
the password is "incorrect". My challenge password is
"123456"
which I entered when I create the CA. Why it doesn't
work is
beyond my understanding of CA.
Can anyone tell me what I am doing wrong here? Once
again, thank
you very much for helping me out here.
__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
