> Dan, > > It's unclear to me exactly: > > a. what you're expecting to happen > b. what is happening > > We have exactly the same setup - verisign root->intermediate->our cert. > What happens with an XP client on our WPA EAP-PEAP network is exactly > the same as documented here: > > http://www.albany.edu/its/windows_detailed_document.pdf > > ...that is, after clicking all the tedious boxes in XP, once connecting > a dialog box pops up as per page 6 of the PDF above. Once clicked, the > user is never prompted again.
Yes, this is the behaviour we are seeing too. The issue is that, with said popup and a directly root-signed cert, you can click on the 'View Server Certificate' button and see that it is trusted to a known root, and Windows says something along the lines of 'This is a trusted certificate'. The reason we shifted to using a Verisign cert instead of a self-signed one with the right bits set was that we were getting a surprisingly large number of users refusing to accept a cert that windows flashed up as 'Untrusted. Warning, this certificate cannot be traced to a known trusted root etc etc' (or whatever the actual text is, I can't recall offhand), and then complaining that they couldn't get on the wireless network. It was easier to get a 'proper' cert from Verisign than it was to try and get all our users to install our local CA on their personal machines. Now that Verisign are using an Intermediate CA the cert we have paid for is no better than a self signed one in this case. The chain does get picked up correctly in Vista, which backs up your point of it being an XP specific issue and nothing to do with FreeRADIUS. I was unfortunately testing on XP only as that is the only Windows I had readily available. If it used to work then God knows why MS decided to break it in a security update, but bring the functionality back in Vista. Unfortunately the majority of our users are still on XP. Thanks all for your help. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html