Re: WPA authentication works only with MacOS clients

Mon, 16 Oct 2006 22:20:56 -0700 

Message: 5
Date: Mon, 16 Oct 2006 22:36:14 +0200
From: "Josh Shamir" <[EMAIL PROTECTED]>
Subject: Re: WPA authentication works only with MacOS clients
To: "FreeRadius users mailing list"
        <freeradius-users@lists.freeradius.org>
Message-ID:
        <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"

"Hi Jason,
I want to use PEAP.
So I can use PEAP on a WinXP SP2 client without any other supplicant,
using his native supplicant. The problem is that with native WinXP
supplicant the authentication process failed, and freeradius server give
me an error regarding certificates. The strange thing is that with the
same certificates, PEAP works fine with MacOSx.

Could be a problem of certificates ? I generate certificates with
CA.all. Any ideas about how generate certificates that works also with
MS WixXP client?"

This is a common problem. Windows XP requires that the server and client
certificates have specific attributes. This is useful as it prevents a
main-in-the-middle attack where an authentic client masquerades as a
server with his client cert.

You need to use Microsoft's Extended Attributes:

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

See http://www.linuxjournal.com/node/8095/print for detailed
instructions how to create a server certificate that will work with PEAP
and MS clients. The HOWTO is for EAP-TLS which requires client and
server certificates. Since you are using PEAP, you just need to create
the server certificate. Good luck.

In particular you'll want to do:

openssl req -new -keyout server_key.pem -out server_req.pem -days 730
-config ./openssl.cnf

openssl ca -config ./openssl.cnf \
-policy policy_anything -out server_cert.pem \
-extensions xpserver_ext -extfile ./xpextensions \
-infiles ./server_req.pem

You'll now have server_cert.pem (Public Certificate) and server_key.pem
(Private Key which has no password). The public certificate will have
the Server extended key usage extensions set and now your XP client
should authenticate.

Jason Wittlin-Cohen

P.S: Sorry for the double post. My last message had flowed text making
it very difficult to read so I decided to resend it.

Attachment: signature.asc
Description: OpenPGP digital signature

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to