Hello again, @Alan DeKok > But I would first suggest trying to use the test certificates that come with > 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that > there is something special about the certificates you're using. I tried to generate some test certificates using the README file provided in the source-code under "freeradius-server-2.0.1/raddb/certs/" Therefore the Makefile is used in the same directory. I'm not really sure, but in Line 93 where the "client.pem" is created it must be -passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER)
Most of the time you will not recognize, because in server.cnf and client.cnf all the passwords are set to "whatever" so they are identical, but when you set them, you will get an error (like me). It would also be helpful to integrate the following command into the ca section, when generating a self-signed CA certificate, because using Windows you need the CA in DER-format: openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der This evening I will try to test if this certificates are working. @Reimer Karlsen-Masur > We know of problems with EE certificates in PDAs containing the > "non-repudiation" flag. > Additionally Windows build-in supplicants don't like EE certificates with > the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2) > when doing EAP-TLS. > Apparently the latter issue can also be solved by just disabling the valid > certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted > usages properties on the system. I'm not sure if understand correctly what you want to say to me (I'm stupid :-)) First I've used TinyCA to generate my certificates, now I will try the Makefile provided in the source-code of freeradius. I think the extendedKeyUsage "Microsoft Smartcard Logon" should not be set in both variants. Or do you mean that the extendedKeyUsage "Microsoft Smartcard Logon" must be disabled on the PDA? Best regards and thanks in advance Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
