On 07/26/2011 08:02 PM, Jeff Kell wrote: Hello Jeff,
> Has anyone been able to get a "valid, acceptable to Windows out-of-the-box" > certificate > for Radiator that allows seamless connections by Windows computers? > > I've found bits and pieces, and references to voodoo with the openssl request > and/or > openssl patches to support the "extra" bits that Windows expects, but still > haven't run > across a nice clear answer. See http://support.microsoft.com/kb/814394 and "Server certificate requirements" chapter. The extra bits in openssl configuration look like this: [ req ] ... req_extensions = req_extensions [req_extensions] ... extendedKeyUsage = serverAuth This extension should satisfy the Windows builtin client. The OID is 1.3.6.1.5.5.7.3.1 and even if RFCs call this OID id-kp-serverAuth, some tools may call it e.g. "TLS Web Server Authentication". I have also noticed that the certificates from vendors such as Thawte have this extension enabled by default. > Has anyone done this successfully to connect without a supplicant / > Xpressconnect / su1x > / other client preparation? -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
