For what it's worth, I encountered a similar problem with EAP/TLS
and machine authentication. It turned out that the reason I was
having problems was that I had generated my certs in OpenSSL, and
OpenSSL was missing one important step that isn't documented on
Microsoft's web site about EAP/TLS and machine authentication.
I modified OpenSSL (0.9.7d) to add one extra OID to the
PKCS#7 keybag attributes holding the client's private key and
that solved my problems. Just having this particular OID present
was enough to get it working -- it didn't matter what value the
OID was set to. The OID was: 1.3.6.1.4.1.311.17.2 In my search
on the web for this OID, I found a grand total of ONE useful reference
to this OID on the web. From what I can tell, the presence of this
OID tells Windows XP that the cert is intended for use by the
computer itself, and not by an end-user.
The other solution is to use Microsoft's web certificate server
to generate these certs.
If you want the patch for OpenSSL, let me know and I'd be happy
to mail it to you. Please send me the e-mail directly -- mail
sent to the list goes into a folder that I only check infrequently.
- Dan
Ben Walding wrote:
> It's worth ensuring that you have loaded the private key component of
> the certificate.
>
> Depending on how you generated the cert, you might only have the
> public key which is utterly useless for machine auth.
>
> In the cert file you loaded into MMC, check that there are two parts -
> private and public. Also, if you didn't have to type in a password to
> load the machine cert, there is a pretty good chance that you are
> missing the private key component.
>
> We are using freeradius 1.0.0-pre3 successfuly with EAP TLS. I can't
> say it was easy, but we muddled through it and it all seems to work
> now.
>
>
> Cheers,
>
> Ben
> On Wed, 21 Jul 2004 15:31:58 -0400 (EDT), Joe Meslovich
> <[EMAIL PROTECTED]> wrote:
> >
> > I just wanted to add some information to this message. I turned on EAPOL
> > file tracing in the registery. When I look at the trace log that is
> > created on the client and error is occuring when the client should be
> > generating the response that contains its credentials. The error code in
> > the EAPOL log is -2146893802. From what I've seen that error code has to
> > do with not finding a keyset pair.
> >
> > When doing machine authentication do the certificates need to be installed
> > in a special manner? When I go into mmc I see the certificates that I
> > installed in the local computer store.
> >
> > Joe Meslovich
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
