[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
From: "Marc Charbonneau" <mcharbonneau () ottawaheart ! ca>
Date: 2007-04-28 12:46:46
Message-ID: s63323dc.004 () mail ! ottawaheart ! ca
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
This incorrect password issue was solved once the proper server
certificate was used by FreeRADIUS' EAP.conf file.
Thanks for all you help!
Marc
Solution to get correct cert to work with Windows XP SP2 supplicant:
1) From Linux box:
>openssl genrsa -des3 -out server1.key 2048
You will be prompted for password, this server1.key and the password
assigned are used in "eap.conf" file.
>openssl req -new -key server1.key -out server1.csr
2) Get "server1.csr" to a Windows workstation that will reach the
Microsoft 2003 CA. Easiest way might be to use FTP.
The URL to our CA is: http://10.10.10.10/certsrv
3) On Web access to CA:
- click "Request a Certificate"
- click "Advanced certificate request"
- click "Submit a certificate request by using a base-64-encoded CMC or
PKCS #10 file, or submit a renewal request by using a base-64-encoded
PKCS #7 file."
- click "Browse for a file to insert." and browse to "ohisles1.csr"
then click "READ" button.
- select "Web Server" for certificate template and click "Submit"
- keep "DER encoded" selected then click "Download certificate", save
file as server1.cer
4) Get this file "server1.cer" back to Linux server with FTP
5) Issue OpenSSL command
>openssl x509 -inform DER -in ohisles1.cer -out ohisles1.pem
- update "eap.conf" to point to this server certificate.
6) Use same OPENSSL command on the CER file of the root certificate
from the Microsoft CA to convert it to PEM format. Use this root
certificate, we named it "root.pem" and point to it in the "eap.conf"
7) FreeRADISU with:
>RADIUSD -X
8) Windows XP supplicant should work fine.
[Attachment #5 (text/html)]
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV style="FONT: 10pt Tahoma; COLOR: #000000">
<DIV style="COLOR: #000000">This incorrect password issue was solved once \
the proper server certificate was used by FreeRADIUS' EAP.conf file.</DIV> <DIV \
style="COLOR: #000000"> </DIV> <DIV style="COLOR: #000000">Thanks for all you \
help!</DIV> <DIV style="COLOR: #000000">Marc</DIV>
<DIV style="COLOR: #000000"> </DIV>
<DIV style="COLOR: #000000">Solution to get correct cert to work with Windows XP SP2 \
supplicant:</DIV> <DIV style="COLOR: #000000"><BR>1) From Linux box:<BR>>openssl \
genrsa -des3 -out server1.key 2048<BR>You will be prompted for password, this \
server1.key and the password assigned are used in "eap.conf" file.</DIV> <DIV \
style="COLOR: #000000">>openssl req -new -key server1.key -out server1.csr</DIV> \
<DIV> </DIV> <DIV style="COLOR: #000000">2) Get "server1.csr" to a Windows \
workstation that will reach the Microsoft 2003 CA. Easiest way might \
be to use FTP.</DIV> <DIV style="COLOR: #000000">The URL to our CA is: <A \
href="http://10.10.10.10/certsrv">http://10.10.10.10/certsrv</A> <BR></DIV> <DIV \
style="COLOR: #000000">3) On Web access to CA:<BR>- click "Request a \
Certificate"<BR>- click "Advanced certificate request"<BR>- click "Submit a \
certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a \
renewal request by using a base-64-encoded PKCS #7 file."<BR>- click "Browse for a \
file to insert." and browse to "ohisles1.csr" then click "READ" button.<BR>- select \
"Web Server" for certificate template and click "Submit"<BR>- keep "DER encoded" \
selected then click "Download certificate", save file as server1.cer<BR></DIV> <DIV \
style="COLOR: #000000">4) Get this file "server1.cer" back to Linux \
server with FTP</DIV> <DIV style="COLOR: #000000"> </DIV>
<DIV style="COLOR: #000000">5) Issue OpenSSL command<BR>>openssl x509 -inform DER \
-in ohisles1.cer -out ohisles1.pem<BR>- update "eap.conf" to point to this server \
certificate.<BR></DIV> <DIV style="COLOR: #000000">6) Use same OPENSSL \
command on the CER file of the root certificate from the Microsoft CA to \
convert it to PEM format. Use this root certificate, we named it \
"root.pem" and point to it in the "eap.conf"<BR></DIV> <DIV \
style="COLOR: #000000">7) FreeRADISU with:</DIV> <DIV style="COLOR: \
#000000">>RADIUSD -X<BR></DIV> <DIV style="COLOR: #000000">8) Windows XP \
supplicant should work fine.<BR></DIV></DIV></BODY></HTML>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic