Hi.

[EMAIL PROTECTED] wrote:
> either use your current tool but include the XP extensions as required,

Just to be precise. The named extensions are PKIX extensions for serverAuth
(OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID
1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant).

Also if a client certificate is used on Windows with EAP-TLS the
extendedKeyUsage "Microsoft SmartCard Logon" (OID 1.3.6.1.4.1.311.20.2.2)
*must not* be present because Windows won't be able to use/choose such a
client certificate to authenticate at the RADIUS server.

It is only Windows that is looking at these extededKeyUsages in the
certificate and expecting the correct extensions here.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to