Couple of things:
1. Make sure the CA certificate also exists in the Local Computer
Trusted Roots Store.
2. For Windows 2000, make sure that the machine name is in the CN or
subjAltName fields of the certificate. It can be just localpart of
fqdn, so if your fqdn of your machine is somemachine.domain.com, then
the CN can be just somemachine or it can be somemachine.domain.com.
3. Make sure that when you copied the certificate from the Personal
Store to the Local Computer store that the Private Key was copied as
well.
4. Note that when Windows connected with computer authentication, it
will prepend "host/" onto the CN field of the certificate. So, if you
use the check_cert_cn option in the EAP-TLS setup, you'll need to
probably run it through the hints file with a prefix of "host/" to
create the Stripped-User-Name attribute, and change the check_cert_cn
option to be "%{Stripped-User-Name:-%{User-Name}}".
--Mike
On Thu, 2004-06-24 at 16:01, Jeremy Scribner wrote:
> Yesterday installed freeradius-snapshot-20040623 &
> openssl-SNAP-20040623 in hopes of using it for Wireless
> Authentication. I followed the instructions from the different
> FreeRadius TLS How-to, and can successfully make authentication work
> using the client user certificate.
>
> My problem now is I would like to create a certificate that
> authenticates just the computer and not worry about user
> certificates. I know many of the security experts out there are
> shuttering by my even thinking about using a single certificate for
> authentication, but my environment doesn't work well for distributing
> individual certificates to all of my users. Our laptops are used for
> training purposes and students don't use the same laptop every time.
> Is there something special I need to do to create a machine
> certificate vs a user certificate?
>
> If I move the user certificate to the (Local Computer) I cannot
> connect.
>
>
>
> My Environment consists of:
>
> Linux Red Hat 9 Server running FreeRadius and OpenSSL
>
> Cisco 350 Series AP
>
> Windows XP SP 1 & Windows 2000 SP 4 Laptops
>
>
>
> Thank-you in advance for any help
>
>
>
> Jeremy Scribner
--
--Mike
----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
