Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
This incorrect password issue was solved once the proper server certificate was used by FreeRADIUS' EAP.conf file. Thanks for all you help! Marc Solution to get correct cert to work with Windows XP SP2 supplicant: 1) From Linux box: openssl genrsa -des3 -out server1.key 2048 You will be prompted for password, this server1.key and the password assigned are used in eap.conf file. openssl req -new -key server1.key -out server1.csr 2) Get server1.csr to a Windows workstation that will reach the Microsoft 2003 CA. Easiest way might be to use FTP. The URL to our CA is: http://10.10.10.10/certsrv 3) On Web access to CA: - click Request a Certificate - click Advanced certificate request - click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. - click Browse for a file to insert. and browse to ohisles1.csr then click READ button. - select Web Server for certificate template and click Submit - keep DER encoded selected then click Download certificate, save file as server1.cer 4) Get this file server1.cer back to Linux server with FTP 5) Issue OpenSSL command openssl x509 -inform DER -in ohisles1.cer -out ohisles1.pem - update eap.conf to point to this server certificate. 6) Use same OPENSSL command on the CER file of the root certificate from the Microsoft CA to convert it to PEM format. Use this root certificate, we named it root.pem and point to it in the eap.conf 7) FreeRADISU with: RADIUSD -X 8) Windows XP supplicant should work fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi, it looks like I used a certificate with the wrong OID. I used a cert minted with their SubCA template which doesn't have the (OID 1.3.6.1.5.5.7.3.1). In playing with the Microsoft CA on Windows 2003 server, I've found that the Certificate made using the Web Server template is the one required. Unfortunately, this particular template doesn't allow the Certificate's keys to be exported. I tried creating a new Certificate template by copying from the one called Web Server and now, I have a new Web Server template with the ability to export it's keys. The problem is I can't seem to make use of this new template within their CA. I know this is a Microsoft issue but I've looked high and low in their docs and when you go to their CA and try to select Certificate Template to Issue, the new template created are not available. I'm a little obsessed with making this work so I'm hoping someone here a quick answer to making Microsoft's CA allow me to mint a Web Server certificate with exportable keys. Thanks for any future and previous help, Marc [EMAIL PROTECTED] 4/27/2007 4:11:58 AM Hi. [EMAIL PROTECTED] wrote: either use your current tool but include the XP extensions as required, Just to be precise. The named extensions are PKIX extensions for serverAuth (OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID 1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant). Also if a client certificate is used on Windows with EAP-TLS the extendedKeyUsage Microsoft SmartCard Logon (OID 1.3.6.1.4.1.311.20.2.2) *must not* be present because Windows won't be able to use/choose such a client certificate to authenticate at the RADIUS server. It is only Windows that is looking at these extededKeyUsages in the certificate and expecting the correct extensions here. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Ok, that's what I thought (about the root Certificate not being pleasing to XP). FYI: I'm using a version of Linux by Novell called SLES (SUSE Linux Enterprise Server) version 9 Service Pack 3 and the FreeRADIUS is from Novell's Web site (freeradius-1.0.2-0.i586.rpm, freeradius-devel-1.0.2-0.i586.rpm). I've done my Certificate work by using SLES' YaST, Security and Users, CA Management. I simply exported the root cert using this CA Management GUI. This worked great with Cisco's ADU configuration tool. If someone could give me the quickest and easiest way to creating a root certificate that's works with Windows XP, that would be great. I have another CA running on a Windows 2003 server, can I make use of this CA somehow? Thanks for any help. Marc [EMAIL PROTECTED] 4/25/2007 1:33:00 PM hi, rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select okay. so thats the main issue. were your certificates generated with the XP extensions? how have you configured the native supplicant? it doesnt need much configuring just disable fast-connect, disable user guest account, use machine auth (if you're not doing machine) and click the MSCHPv2 stuff and deselect the 'use windows username/password' if you cannot use those. then its up to you to ensure the cert is in the store and you verify or dont verify your radius cert. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html