Re: What kind of error in client-cert using EAP?

Tue, 19 Sep 2006 01:46:49 -0700 

Hello Alan,

Alan DeKok schrieb:

  No.  It means that there is NO client cert.  The authentication
process continues, so it's obviously not a catastrophic problem.



Is it simply not sent, or somehow not available? Because I know for sure 
that there is a cert on the client. And I did nothing else, than on the 
other machines where it works since 2 weeks.



Just to make it explicit: I create a user-cert in TinyCA2(linux). I 
export the cert as a p12 and include the key and the CA into that p12 
container. I also disable the passphrase. I put that file on the network 
where the client can find it.



On the client I open the MMC as local admin and include the Snap-In 
Certificates for Local-Computers. Then I import the created cert into 
My-Certificates and copy the CA-Cert into the "trusted certification 
centers" tree (it's in german). It worked for another 2 W2K PCs and for 
four XP-Pro-SP2 PCs.


The APs are Linksys Switches and they do what they should.


  For PEAP and TTLS, there *is* no client cert.



I use EAP-TLS for machine-authentication (In Windows the "Smartcard or 
Certificate" Authentification).



It means also that in my authorize section (Auth-Type := EAP)

  Can you explain why you're doing this?  All of the server
documentation, and many posts on this list say it's wrong.



Because if I do only a machine-authentication, every machine which has a 
valid cert can connect to the network.



If I write the explicit hostname in the users file, I have more control 
over the single clients connecting. If they are not in the list, they're 
not allowed to connect, regardless if they have a valid cert or not. I 
think it could be done more elegant using crls, but I'am not yet at this 
point. I try to understand why one PC can connect and the other one can 
not, although I did the same procedure.


Thanks for your help
 Alex


--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)


Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule 
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst 
Busch".


Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to