On 05/08/2011 17:00, John Dunning wrote:
Greetings all,
We've been running freeradius 1.x on Debian Lenny for some time with great
success authenticating against Novell eDirectory/LDAP.
Our Linux guru has moved on to exciting new opportunities and while the rest of
us are decent at linux we're certainly missing his input here :)
We're trying to update the system to Squeeze and move from eDirectory to Active
Directory authentication to stay more easily within the debian package scope.
I think I largely have the system setup to do EAP-TLS/PEAP/MS-CHAPv2 with
Windows 7 supplicant but for some reason I can't seem to get the EAP-TLS tunnel
to fire up.
I've tried going through http://wiki.freeradius.org/Certificate_Compatibility
with the delivered certs (which are evidently supposed to be compatible) but I
seem to be missing something.
I've got NTLM_AUTH working correctly (once I actually get that far), so I'm
hoping that if I can get this cert issue figured out I'll be good to go.
Using a Cisco AIR1220 AP and have tried both Windows 7 and android supplicants
and get the same problem (see -X log below).
Thanks in advance!!
JD
certificate_file = "/etc/freeradius/certs/server.pem"
(1) Do:
openssl x509 -in /etc/freeradius/certs/server.pem -noout -text
Check that the output contains this:
X509v3 Extended Key Usage:
TLS Web Server Authentication
...If it doesn't see the "OIDs" comments in the FR wiki page.
(2) Check that Windows 7 is correctly configured to trust your
certificates. Refer to 15-19 on:
http://www.wireless.bris.ac.uk/eduroam/instructions/go-vista/#wifi
[obviously you need to trust your root CA, not mine though]
For testing you can un-tick "Validate server certificate", but you should
never do this with real credentials, or with real users.
(3) Android probably isn't a good OS to use for AAA testing, because
depending on which version you have there are various bugs with it's
enterprise wi-fi support.
Regards,
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html