Hi,
I can't even remotely unstand why you seem to look for help on one
hand, but on the other one keep declining answers to questions put to
you and insisting on false assumptions.
That's why I might not understand what you're asking. :-)
--> verify error:num=9:certificate is not yet valid
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert write:fatal:bad certificate
I fixed that problem. The time on the certificate issueing server, the
radius server and the client was different. So the cert wasn't valid,
because the create-time was in the future. I've put all now in my
NTP-server.
The "check_cert_cn" was a test to check if the username has something to
do the failing certs and is disabled now again. I found, if the certs
are valid, the username is not important. I used the OIDs mentionend in
the HowTOs, not Alans.
And while it doesn't cause any problem for now, would you please get
rid of the "host/vinfo-t1" and "vinfo-t1" stanzas in your users file
The idea of that was to control the logon of already authorized clients,
i.e. to not accept a client with a valid cert. This could be done more
elegant with the CRL of SSL, but for now it's easier to maintain in the
users file. Of course passwords are useless if nothing like PEAP is done
(this entry was for testing).
I conclude, it works now with W2K SP4. The main problem were different
times on all participating computers. If confs and certs are done
according to the ealier mentioned HowTo it'll work. Although the setting
of the users file still stays unclear for me, because I don't know how
to handle the acceptance of the clients, if the client can not be
described via AuthType in the users file. Maybe somebody could enlighten me.
I still have to check, if I really need the registry hack ( Set the
"HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters
\General\Global\AuthMode" value to '2) mentioned by Thibault LeMeur
earlier on the list.
Next I'll try to check the clients name against our LDAP-Database (for
the samba domain) in the users file to allow only these clients, which
are in our domain.
Thanks for help
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst
Busch".
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
