On Thu, Jul 16, 2009 at 8:12 AM, Nicolas Boullis<[email protected]> wrote: > Hi, > > DISCLAIMER: I'm no Windows specialist. > > john wrote: >> >> I am having a hard time figuring out how to make this work. Where/how >> does the cert get imported. Do I need to make a registry change in >> KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global >> to make this work? I hope this is the part someone on the list will >> have done before and be able to guide me or point me at a howto. > > I had a hard time with this as well, and finally succeeded, using > Windows XP. > There are many points that matter: > * You have to edit your registry to add a "AuthMode" dword key in > KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global > with value 2. > * You have to load your certificate and private key in the computer's > personal store. I did that with mmc.exe. Note that loading the > certificate and private key in a user's personal store and then > moving them to the computer's store did not work for me. > * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client > Authentication" or Windows won't use it. > * The username Windows will use is the name in the certificate with > "host/" prepended. > > Note that things are quite different with Windows Vista. > > Hope this helps, > > -- > Nicolas Boullis > Ecole Centrale Paris
Thanks for your very thorough answer Nicolas! The solution you outline works perfectly for wired clients running Windows XP SP2. However,more digging showed me that my problem was specific to Windows XP/SP3. Windows XP/SP3 doesn't use KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to store the value for the AuthMode parameter. Rather it uses an XML profile which you can export and edit and then re-import. For future reference for other folks this can be round here http://support.microsoft.com/kb/929847 I note that this was mentioned in an earlier post to the list http://lists.cistron.nl/pipermail/freeradius-users/2009-January/msg00723.html The author then had an identical problem, however he was trying to troubleshoot the wireless interface. Ivan or Alan, the information that Nicolas outlined, plus the caveat for XP3 clients would be REALLY HELPFUL to have on the wiki. It doesn't look like just anyone can edit it so would one of you be willing to add something? Thanks again to all for the help! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
