Odd. I've done lots of machine authentications, all with OpenSSL-generated certificates/keys, and I've *never* had to use any OID other than the client authentication OID (1.3.6.1.5.5.7.3.2). It's always worked just fine. I've always used PKCS#12 to package the key/cert when loading on the machine, though, not PKCS#7.
--Mike On Wed, 2004-07-21 at 23:06, Daniel Carroll wrote: > For what it's worth, I encountered a similar problem with EAP/TLS > and machine authentication. It turned out that the reason I was > having problems was that I had generated my certs in OpenSSL, and > OpenSSL was missing one important step that isn't documented on > Microsoft's web site about EAP/TLS and machine authentication. > > I modified OpenSSL (0.9.7d) to add one extra OID to the > PKCS#7 keybag attributes holding the client's private key and > that solved my problems. Just having this particular OID present > was enough to get it working -- it didn't matter what value the > OID was set to. The OID was: 1.3.6.1.4.1.311.17.2 In my search > on the web for this OID, I found a grand total of ONE useful reference > to this OID on the web. From what I can tell, the presence of this > OID tells Windows XP that the cert is intended for use by the > computer itself, and not by an end-user. > > The other solution is to use Microsoft's web certificate server > to generate these certs. > > > If you want the patch for OpenSSL, let me know and I'd be happy > to mail it to you. Please send me the e-mail directly -- mail > sent to the list goes into a folder that I only check infrequently. > > - Dan > > > Ben Walding wrote: > > It's worth ensuring that you have loaded the private key component of > > the certificate. > > > > Depending on how you generated the cert, you might only have the > > public key which is utterly useless for machine auth. > > > > In the cert file you loaded into MMC, check that there are two parts - > > private and public. Also, if you didn't have to type in a password to > > load the machine cert, there is a pretty good chance that you are > > missing the private key component. > > > > We are using freeradius 1.0.0-pre3 successfuly with EAP TLS. I can't > > say it was easy, but we muddled through it and it all seems to work > > now. > > > > > > Cheers, > > > > Ben > > On Wed, 21 Jul 2004 15:31:58 -0400 (EDT), Joe Meslovich > > <[EMAIL PROTECTED]> wrote: > > > > > > I just wanted to add some information to this message. I turned on EAPOL > > > file tracing in the registery. When I look at the trace log that is > > > created on the client and error is occuring when the client should be > > > generating the response that contains its credentials. The error code in > > > the EAPOL log is -2146893802. From what I've seen that error code has to > > > do with not finding a keyset pair. > > > > > > When doing machine authentication do the certificates need to be installed > > > in a special manner? When I go into mmc I see the certificates that I > > > installed in the local computer store. > > > > > > Joe Meslovich > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
