Meyers, Dan wrote:
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which
does
not require a client certificate. My understanding however is that
for
passing of the server certificate to validate our server to the
clients
the options with the tls subsection of the eap.conf file are still
used.
For that you need to export just the intermediate certificate used to
sign the server certificate onto the clients. They should have the
root
one already.
Import intermediate certificate (.der or .crt version) onto a client.
Copy server.crt onto the client desktop and see if Windows recongnized
the chain.
Yes, if I import just the intermediate certificate to the client,
install it, and then try and auth, the chain is picked up correctly (or
if I just copy across the server cert and check it). But of course the
reason for this is because the intermediate cert is then directly
trusted by the client, and the server cert is signed by it.
Dan,
It's unclear to me exactly:
a. what you're expecting to happen
b. what is happening
We have exactly the same setup - verisign root->intermediate->our cert.
What happens with an XP client on our WPA EAP-PEAP network is exactly
the same as documented here:
http://www.albany.edu/its/windows_detailed_document.pdf
...that is, after clicking all the tedious boxes in XP, once connecting
a dialog box pops up as per page 6 of the PDF above. Once clicked, the
user is never prompted again.
As per my email on the DOT1X list the other day, this is (we believe) a
behaviour change from a vanilla windows XP SP2 install i.e. one of the
hotfixes changed something.
Certainly when we tested a vanilla XP SP2 install against our current
cert chain, it worked straight through, but a fully-hotfixed install did
not.
Is this what you're seeing?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
