I don't know if my chiming in will make a difference or not.
But windows can authenticate with a machine certificate or a user
certificate....
If you're doing the machine certificates, please say so, I'm a little
confused as to what exactly you are doing now.
-Bob
Thibault Le Meur wrote:
Hello Alan,
Alan DeKok schrieb:
No. It means that there is NO client cert. The authentication
process continues, so it's obviously not a catastrophic problem.
Is it simply not sent, or somehow not available? Because I know for
sure that there is a cert on the client. And I did nothing else, than
on the other machines where it works since 2 weeks.
Just to make it explicit: I create a user-cert in TinyCA2(linux). I
export the cert as a p12 and include the key and the CA into that p12
container. I also disable the passphrase. I put that file on the
network where the client can find it.
I have a similar configuration working (EAP-TLS for XP and TinyCA
generated certs). I found out that the way certificates are created is
important. Can you check the following procedure (something I have
already posted this to you in this list, sorry for reposting it ;-) ).
---------------------------------------------
* Create a certificate per host:
- cn must contain the Netbios name of the PC
- the extension SubjectAltName must contain the Netbios name of the PC
(I think)
- The field Extended Key Usage must contain the option 'TLS Web Client
Authentication' (OID 1.3.6.1.5.5.7.3.2)
- Note that the Radius server's certificate must contain the
1.3.6.1.5.5.7.3.1 extension
- The certificate can be exported into a PKCS12 file .p12 (this
includes the private key). The certificate MUST be installed in the
HOST CERTIFICATE STORE (simply double clic the file will NOT work):
Run 'mmc' and Add the Snap-in 'Certificate>Local Computer', then in
the private folder import the .p12 file and in the Trusted Root CA the
CA certificate).
--------------------------------
Can you check the Netbios names and CN correspondance ?
I've seen that you integrate the emailaddress in the subject (an
option in TinyCA): can you disable this ?
On the client I open the MMC as local admin and include the Snap-In
Certificates for Local-Computers. Then I import the created cert into
My-Certificates and copy the CA-Cert into the "trusted certification
centers" tree (it's in german). It worked for another 2 W2K PCs and
for four XP-Pro-SP2 PCs.
This is ok, but are the certificates _exactly_ generated in the same
way ?
Can you post 2 certificates: one which is working, another the is not ?
Could you also check the certs validity date and System Time of your
hosts ?
HTH,
Thibault
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
