Ok,
so we might conclude, that you're trying eap-tls.
On 9/4/06, Alexandros Gougousoudis <[EMAIL PROTECTED]> wrote:
Hi,
I'am a step ahead. One problem was, that the Root-CA-cert must be put
manually in the Trusted-Rootcertificate place (I use a german Windows,
so I try to retranslate that into english) on the Windows-Client. It is
not enough to import that automatically, although the cert shows up in
the list of "Trusted Rootcertificates" in the "Authentification" menu of
the network-settings. If made this running the mmc manually, opening the
Certificate-dialog.
But it shows, that the problem is deeper. The netbiosname of the windows
machine is "vinfo-t1", also the cert has this name as a CN. If the PC
tries to authenticate the username comes as "host/vinfo-t1" to the
radius server. Which makes the TLS verify fail. How can the name be
truncated?
I can't even remotely unstand why you seem to look for help on one
hand, but on the other one keep declining answers to questions put to
you and insisting on false assumptions.
--> subject = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/[EMAIL PROTECTED]
--> issuer = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/[EMAIL PROTECTED]
--> verify return:1
--> verify error:num=9:certificate is not yet valid
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert write:fatal:bad certificate
So this (assuming it's even the right one) rootCA is rejected by the
server for the reason stated.
Would you please explain how you come to the conclusion about the tls
verify failing because of a CN/Username mismatch, when one would
expect to read line like:
radius_xlat: 'host/wbh'
rlm_eap_tls: checking certificate CN (wbh) with xlat'ed value (host/wbh)
in such a case.
In your setup the server doesn't even reach that point. On a side
note, if in some distant future it does, you might find check_cert_cn
interesting.
And while it doesn't cause any problem for now, would you please get
rid of the "host/vinfo-t1" and "vinfo-t1" stanzas in your users file
and use the default one, as that is a, at least, misguided setting,
which could be the source of problems further down the road. (For the
time being you don't need anything set there, esp no User-Password, as
we, just now, can guess, you don't want eap-peap)
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
