Hi,
it works now. Thanks Thibault, you saved my day, again! :-)
You're welcome
- the extension SubjectAltName must contain the Netbios name of the
PC (I think)
This had no meaning in my tests. Anyway, there must be chosen a type
of that field. Did you take DNS-Name, Email or Raw?
I use DNS-Name
I took now DNS-Name, but in another case there was an email in that
field and the systems authetifies without problems. So I think you
can leave this field out.
Ok.
I've seen that you integrate the emailaddress in the subject (an
option in TinyCA): can you disable this ?
Yupp, this was the mistake. It is somehome on by default. I switched
it off and created new certs as you wrote and the XP Machine works
now too. Hell, I gonna print your mail and hang it in front of me.
The problem is that Microsoft doesn't describe exactly how certificates
must be generated in order to have host authentication nor how the EAP
request is made (using host/Netbios-name as the identity). This is
because (I presume), they want us to use IAS and their certificate
management software.
This is ok, but are the certificates _exactly_ generated in the same way ?
Obiously not. As I made the same mistake over and over again. I have
now only the problem of one W2K Machine, not even asking the
Radius-Server.
I'm not sure this will be an issue on the radius server.
I assume it's some kind of inkompatibilty of drivers or NIC.
I don't think so. I think it's Windows XP that doesn't recognize the
host certificate as a valid one because its "subject" doesn't match
exactly the netbios name of the host.
Thanks for your help:
Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif
Thanks, could you send me a fridge as well to keep them fresh... It's
hot in my office today ;-).
Thibault.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
