(RADIATOR) Error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied" - FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN
Scott Xiao - ANTlabs
scottxiao at antlabs.com
Wed Aug 11 04:30:18 CDT 2004
Thanks,Christian.
Yes,I found the EKU portion (OID 1.3.6.1.5.5.7.3.1) in your cert which is
not available in FreeSSL's cert.This is the problem. I refunded already and
FreeSSL didn't say anything(seem admitted this problem:-) )...Now I
purchasing the WLAN authentication server cert from Versign.Strange thing
is,during the online application,it never asked for CSR and never create any
private key.So when it send me the public certificate,I will not be able to
get the private key to save in Radius server.Any advice?
Thanks
Scott
-----Original Message-----
From: Christian Wiedmann [mailto:wiedmann at wiedmann.org]
Sent: Wednesday, August 11, 2004 7:45 AM
To: Scott Xiao - ANTlabs
Subject: RE: (RADIATOR) Error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1
alert access denied" - FreeSSL certificate for Radiator 802.1x
PEAP/aironet1100 WLAN
Hi Scott,
Are you sure you got a valid certificate from FreeSSL? The OID mentioned
is the OID for server authentication. I believe that IE requires this OID
from web sites, so it should be in there.
As I mentioned earlier, I've been working with a Verisign web server
certificate, which does have this OID.
Here are the relevant lines from "openssl x509 -text -in server.pem":
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web
Client Authentication
"TLS Web Server Authentication" is 1.3.6.1.5.5.7.3.1.
-Christian
On Tue, 10 Aug 2004, Scott Xiao - ANTlabs wrote:
> Date: Tue, 10 Aug 2004 15:28:22 +0800
> From: Scott Xiao - ANTlabs <scottxiao at antlabs.com>
> To: Christian Wiedmann <cw_radiator at wiedmann.org>
> Subject: RE: (RADIATOR) Error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1
> alert access denied" - FreeSSL certificate for Radiator 802.1x
> PEAP/aironet1100 WLAN
>
> Hi,Christian,
> According to Radiator's FAQ,The server certificate must have the special
> Microsoft 'Extended Key Usage' for server authentication. The OID is
> 1.3.6.1.5.5.7.3.1. , did you see the extented key usage in your server
> certificate?which vendor's certificate you purchased?I am afraid I have
to
> buy another cert since I cannot only see "key usage" in my server
> certificate instead of extended or enhanced key usage,after I save the
cert
> int crt file and open it in windows....any advice?Thanks!
> Scott
>
> -----Original Message-----
> From: Christian Wiedmann [mailto:cw_radiator at wiedmann.org]
> Sent: Tuesday, August 10, 2004 2:33 AM
> To: Scott Xiao - ANTlabs
> Subject: RE: (RADIATOR) Error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1
> alert access denied" - FreeSSL certificate for Radiator 802.1x
> PEAP/aironet1100 WLAN
>
>
> No, don't use the root CA from FreeSSL. Just point it at your server
> certificate. You don't actually need to do CA verification, you're just
> giving Radiator a file so it doesn't get an error when it opens it.
> -Christian
>
> On Mon, 9 Aug 2004, Scott Xiao - ANTlabs wrote:
>
> > Date: Mon, 9 Aug 2004 12:45:53 +0800
> > From: Scott Xiao - ANTlabs <scottxiao at antlabs.com>
> > To: Christian Wiedmann <cw_radiator at wiedmann.org>
> > Subject: RE: (RADIATOR) Error:14094419:SSL
routines:SSL3_READ_BYTES:tlsv1
> > alert access denied" - FreeSSL certificate for Radiator 802.1x
> > PEAP/aironet1100 WLAN
> >
> > Re:Error " EAP PEAP TLS read failed: 2144: 1 - error:14094419:SSL
> > routines:SSL3_READ_BYTES:tlsv1 alert access denied"
> > Hi,Christian,
> > Thanks ! I did some update on my config file according to your advice,I
> > downloaded the root CA from FreeSSL and saved in the certificate
directory
> > as pem format ,and tested again,then I encountered another error " EAP
> PEAP
> > TLS read failed: 2144: 1 - error:14094419:SSL
> > routines:SSL3_READ_BYTES:tlsv1 alert access denied" , what could be the
> > cause here?Pleaase advise,Thanks a lot!!! Here below is my updated
config
> > file(part) and the error log:
> >
> > Config file:
> > EAPType PEAP,MSCHAP-V2
> >
> > EAPTLS_CAFile %D/certificates/UTN.pem
> >
> > EAPTLS_CertificateFile
> > %D/certificates/myhost.antlabs.com.pem
> >
> > EAPTLS_CertificateType PEM
> >
> > EAPTLS_PrivateKeyFile
> %D/certificates/myhost.antlabs.com.key
> >
> >
> > EAPTLS_PrivateKeyPassword [password(hidden)]
> >
> > Error Log:
> > Code: Access-Request
> > Identifier: 52
> > Authentic: <29>rW<223><165><165>,<151><164><138>B_@<194>=<232>
> > Attributes:
> > User-Name = "hello"
> > WISPr-Location-ID =
> "isocc=(null),cc=(null),ac=(null),network=GEM1X"
> > WISPr-Location-Name = "operator,location"
> > NAS-IP-Address = 10.0.0.1
> > Service-Type = Framed-User
> > NAS-Port = 3
> > NAS-Port-Id = "3"
> > Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
> > Calling-Station-Id = "00-0C-F1-08-37-BF"
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
> > Connect-Info = "CONNECT 11Mbps 802.11b"
> > EAP-Message =
> >
>
<2><10><0>!<25><128><0><0><0><23><21><3><1><0><18>'<245><137><179><200>3<167
> > >nL<133><196>y<243><146>*[m<140>
> > Message-Authenticator =
> > kW<200><133><164><209>,'<166><19><209><223><197>3h<243>
> > Proxy-State = 165
> >
> > Mon Aug 9 12:19:41 2004: DEBUG: Handling request with Handler ''
> > Mon Aug 9 12:19:41 2004: DEBUG: Deleting session for hello, 10.0.0.1,
3
> > Mon Aug 9 12:19:41 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Aug 9 12:19:41 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Aug 9 12:19:41 2004: DEBUG: Handling with EAP: code 2, 10, 33
> > Mon Aug 9 12:19:41 2004: DEBUG: Response type 25
> > Mon Aug 9 12:19:41 2004: ERR: EAP PEAP TLS read failed: 2144: 1 -
> > error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
> >
> > Mon Aug 9 12:19:41 2004: DEBUG: EAP result: 1, EAP PEAP TLS read failed
> > Mon Aug 9 12:19:41 2004: INFO: Access rejected for hello: EAP PEAP TLS
> read
> > failed
> > Mon Aug 9 12:19:41 2004: DEBUG: Packet dump:
> > *** Sending to 192.168.123.9 port 1814 ....
> >
> > Packet length = 41
> > 03 34 00 29 d8 e5 80 35 df 65 12 80 66 9f 3e 42
> > 41 03 fe 70 12 10 52 65 71 75 65 73 74 20 44 65
> > 6e 69 65 64 21 05 31 36 35
> > Code: Access-Reject
> > Identifier: 52
> > Authentic: <29>rW<223><165><165>,<151><164><138>B_@<194>=<232>
> > Attributes:
> > Reply-Message = "Request Denied"
> > Proxy-State = 165
> >
> >
> > -----Original Message-----
> > From: Christian Wiedmann [mailto:cw_radiator at wiedmann.org]
> > Sent: Sunday, August 08, 2004 4:25 AM
> > To: Scott Xiao - ANTlabs
> > Subject: RE: (RADIATOR) Error "TLS could not load_verify_locations" -
> > FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN
> >
> >
> > Hi Scott,
> >
> > I think the issue may be that Radiator is expecting a CAFile entry even
> > though
> > it's not really required for PEAP. Try adding an EAPTLS_CAFile entry
> (point
> > it at the same file). That's the only real difference I can spot
between
> > your configuration and mine.
> >
> > I hope this helps,
> > -Christian
> >
> > On Sat, 7 Aug 2004, Scott Xiao - ANTlabs wrote:
> >
> > > Date: Sat, 7 Aug 2004 14:36:47 +0800
> > > From: Scott Xiao - ANTlabs <scottxiao at antlabs.com>
> > > To: cw_radiator at wiedmann.org
> > > Subject: RE: (RADIATOR) Error "TLS could not load_verify_locations" -
> > > FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN
> > >
> > > Hi,Crhistian,
> > > In your email last time ,you mentioned you have successfully used a
> > Verisign
> > > web server certificate
> > > for PEAP authentication against Windows XP SP1,now I purchase the web
> > server
> > > certificate from FreeSSL,but I encountered some problem as I mentioned
> > > below,can you give me some advice?Thanks!
> > > Rgds
> > > Scott
> > >
> > > -----Original Message-----
> > > From: Scott Xiao - ANTlabs [mailto:scottxiao at antlabs.com]
> > > Sent: Friday, August 06, 2004 11:23 PM
> > > To: radiator at open.com.au
> > > Subject: (RADIATOR) Error "TLS could not load_verify_locations" -
> FreeSSL
> > > certificate for Radiator 802.1x PEAP/aironet1100 WLAN
> > >
> > >
> > > Hi,
> > > Thanks for all the help on my timer issue,PEAP,acct stop issue,all
those
> > > resolved.
> > > The current issue is,I got an error of "TLS could not
> > load_verify_locations"
> > > with an actually certificate,see the config file and debug below.
> > > I purchased a server ceriticate from freessl.com , copy the text part
of
> > the
> > > cert into a text file and saved in the certificate directory of
radiator
> > as
> > > a .pem file, together with the private key file (.key file).Then I
> > modified
> > > the config file to point the path to the certificate
directory,instead
> of
> > > using the sample certificates.I found the sample pem file has 2
> > parts,public
> > > key and private key inside,while my pem file (server cert) has only
one
> > > part,which is the server server cert itself.But I don't think it's
issue
> > > since the comments in the file says it could be the same file for the
> > > keys.Then I tested,and got the error as mentioned.Can you advise what
's
> > the
> > > problem?FreeSSL's webserver cert should work in this senario,right?How
> to
> > > make a pem file to have 2 parts like the samle one?Thanks!!
> > > Rgds
> > > Scott
> > >
> > >
> > > config file:
> > >
> > > EAPType PEAP,MSCHAP-V2
> > >
> > >
> > > EAPTLS_CertificateFile
> > > %D/certificates/myhost.antlabs.com.pem
> > >
> > > EAPTLS_CertificateType PEM
> > > #EAPTLS_CertificateType CRT
> > >
> > > # EAPTLS_PrivateKeyFile is the name of the file
> containing
> > > # the servers private key. It is sometimes in the same
> > file
> > > # as the server certificate (EAPTLS_CertificateFile)
> > > # If the private key is encrypted (usually the case)
> > > # then EAPTLS_PrivateKeyPassword is the key to
descrypt
> it
> > > #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> > > EAPTLS_PrivateKeyFile
> > %D/certificates/myhost.antlabs.com.key
> > > #EAPTLS_PrivateKeyFile
> > > /etc/radiator/certificates/myhost.antlabs.com.key
> > > # EAPTLS_PrivateKeyFile %D/certificates/myhost.pem
> > > #EAPTLS_PrivateKeyPassword whatever
> > > EAPTLS_PrivateKeyPassword hiddenpassword
> > >
> > > Debuging info:
> > >
> > > [root at AAA Radiator-3.9]# ./radiusd -foreground -config_file ./tt1.cfg
> > > Fri Aug 6 23:04:27 2004: DEBUG: Finished reading configuration file
> > > './tt1.cfg'
> > > Fri Aug 6 23:04:27 2004: DEBUG: Reading dictionary file
> > > '/usr/src/802/radiator/Radiator-3.9/dictionary'
> > > Fri Aug 6 23:04:27 2004: DEBUG: Creating authentication port
> 0.0.0.0:1812
> > > Fri Aug 6 23:04:27 2004: DEBUG: Creating accounting port 0.0.0.0:1813
> > > Fri Aug 6 23:04:27 2004: NOTICE: Server started: Radiator 3.9 on AAA
> > >
> > >
> > >
> > > Fri Aug 6 23:04:50 2004: DEBUG: Packet dump:
> > > *** Received from 192.168.123.9 port 1814 ....
> > >
> > > Packet length = 266
> > > 01 2a 01 0a 6b 23 57 6b 5f b8 ea 46 bd 67 35 ac
> > > 73 e7 51 2a 01 07 68 65 6c 6c 6f 1a 36 00 00 37
> > > 2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
> > > 63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
> > > 6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
> > > 58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
> > > 72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
> > > 06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
> > > 19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
> > > 43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
> > > 46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
> > > 78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
> > > 62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
> > > 18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
> > > 38 30 32 2e 31 31 62 4f 0c 02 01 00 0a 01 68 65
> > > 6c 6c 6f 50 12 a3 6c 26 6a 29 c3 cf 09 f1 3a af
> > > e2 a7 d9 7a 27 21 05 31 35 35
> > > Code: Access-Request
> > > Identifier: 42
> > > Authentic: k#Wk_<184><234>F<189>g5<172>s<231>Q*
> > > Attributes:
> > > User-Name = "hello"
> > > WISPr-Location-ID =
> > "isocc=(null),cc=(null),ac=(null),network=GEM1X"
> > > WISPr-Location-Name = "operator,location"
> > > NAS-IP-Address = 10.0.0.1
> > > Service-Type = Framed-User
> > > NAS-Port = 3
> > > NAS-Port-Id = "3"
> > > Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
> > > Calling-Station-Id = "00-0C-F1-08-37-BF"
> > > Framed-MTU = 1400
> > > NAS-Port-Type = Wireless-IEEE-802-11
> > > NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
> > > Connect-Info = "CONNECT 11Mbps 802.11b"
> > > EAP-Message = <2><1><0><10><1>hello
> > > Message-Authenticator =
> > > <163>l&j)<195><207><9><241>:<175><226><167><217>z'
> > > Proxy-State = 155
> > >
> > > Fri Aug 6 23:04:50 2004: DEBUG: Handling request with Handler ''
> > > Fri Aug 6 23:04:50 2004: DEBUG: Deleting session for hello,
10.0.0.1,
> 3
> > > Fri Aug 6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL
> > > Fri Aug 6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL:
> > > Fri Aug 6 23:04:50 2004: DEBUG: Handling with EAP: code 2, 1, 10
> > > Fri Aug 6 23:04:50 2004: DEBUG: Response type 1
> > > Fri Aug 6 23:04:50 2004: ERR: TLS could not load_verify_locations , :
> > > Fri Aug 6 23:04:50 2004: DEBUG: EAP result: 1, EAP TLS Could not
> > initialise
> > > context
> > > Fri Aug 6 23:04:50 2004: INFO: Access rejected for hello: EAP TLS
Could
> > not
> > > initialise context
> > > Fri Aug 6 23:04:50 2004: DEBUG: Packet dump:
> > > *** Sending to 192.168.123.9 port 1814 ....
> > >
> > > Packet length = 41
> > > 03 2a 00 29 de 49 a8 63 73 f4 3d 7e 46 3b f0 77
> > > f0 4e 7e 85 12 10 52 65 71 75 65 73 74 20 44 65
> > > 6e 69 65 64 21 05 31 35 35
> > > Code: Access-Reject
> > > Identifier: 42
> > > Authentic: k#Wk_<184><234>F<189>g5<172>s<231>Q*
> > > Attributes:
> > > Reply-Message = "Request Denied"
> > > Proxy-State = 155
> > >
> > > Fri Aug 6 23:05:05 2004: DEBUG: Packet dump:
> > > *** Received from 192.168.123.9 port 1814 ....
> > >
> > > Packet length = 266
> > > 01 2b 01 0a 64 a2 eb e1 33 a6 36 6a ea dd 0b e5
> > > be e9 8b 22 01 07 73 63 6f 74 74 1a 36 00 00 37
> > > 2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
> > > 63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
> > > 6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
> > > 58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
> > > 72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
> > > 06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
> > > 19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
> > > 43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
> > > 46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
> > > 78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
> > > 62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
> > > 18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
> > > 38 30 32 2e 31 31 62 4f 0c 02 02 00 0a 01 73 63
> > > 6f 74 74 50 12 80 4b 89 4b 8f ad 7a c7 a3 d5 a6
> > > 5e b0 d6 23 19 21 05 31 35 36
> > > Code: Access-Request
> > > Identifier: 43
> > > Authentic:
d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
> > > Attributes:
> > > User-Name = "scott"
> > > WISPr-Location-ID =
> > "isocc=(null),cc=(null),ac=(null),network=GEM1X"
> > > WISPr-Location-Name = "operator,location"
> > > NAS-IP-Address = 10.0.0.1
> > > Service-Type = Framed-User
> > > NAS-Port = 3
> > > NAS-Port-Id = "3"
> > > Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
> > > Calling-Station-Id = "00-0C-F1-08-37-BF"
> > > Framed-MTU = 1400
> > > NAS-Port-Type = Wireless-IEEE-802-11
> > > NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
> > > Connect-Info = "CONNECT 11Mbps 802.11b"
> > > EAP-Message = <2><2><0><10><1>scott
> > > Message-Authenticator =
> > > <128>K<137>K<143><173>z<199><163><213><166>^<176><214>#<25>
> > > Proxy-State = 156
> > >
> > > Fri Aug 6 23:05:05 2004: DEBUG: Handling request with Handler ''
> > > Fri Aug 6 23:05:05 2004: DEBUG: Deleting session for scott,
10.0.0.1,
> 3
> > > Fri Aug 6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL
> > > Fri Aug 6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL:
> > > Fri Aug 6 23:05:05 2004: DEBUG: Handling with EAP: code 2, 2, 10
> > > Fri Aug 6 23:05:05 2004: DEBUG: Response type 1
> > > Fri Aug 6 23:05:05 2004: ERR: TLS could not load_verify_locations , :
> > > Fri Aug 6 23:05:05 2004: DEBUG: EAP result: 1, EAP TLS Could not
> > initialise
> > > context
> > > Fri Aug 6 23:05:05 2004: INFO: Access rejected for scott: EAP TLS
Could
> > not
> > > initialise context
> > > Fri Aug 6 23:05:05 2004: DEBUG: Packet dump:
> > > *** Sending to 192.168.123.9 port 1814 ....
> > >
> > > Packet length = 41
> > > 03 2b 00 29 43 89 dc ac 25 80 f5 79 2e df dc b9
> > > 46 58 5b 41 12 10 52 65 71 75 65 73 74 20 44 65
> > > 6e 69 65 64 21 05 31 35 36
> > > Code: Access-Reject
> > > Identifier: 43
> > > Authentic:
d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
> > > Attributes:
> > > Reply-Message = "Request Denied"
> > > Proxy-State = 156
> > >
> > >
> > > [root at AAA Radiator-3.9]#
> > >
> > > [root at AAA certificates]# ls
> > > cert-clt.p12 demoCA myhost.antlabs.com.pem
root.pem
> > > cert-clt.pem myhost.antlabs.com.crt README
> > > cert-srv.pem myhost.antlabs.com.key root.der
> > > [root at AAA certificates]#
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> > > Behalf Of Bon sy
> > > Sent: Tuesday, August 03, 2004 7:10 PM
> > > To: Terry Simons
> > > Cc: scottxiao at antlabs.com; radiator at open.com.au
> > > Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100
WLAN
> > >
> > >
> > > Hi Scott and Terry,
> > >
> > > If your main concern is the cost as Terry mentioned, you may want
> > > to consider building your own CA using openssl. If a moderate cost
> > > investment may fit your budget, you may want to look into CATool as
> > > Mike/Hugh has suggested previously.
> > >
> > > We have tried and used both. Building your own CA using openssl is
> > > more involved --- and obviously you have to provide your own technical
> > > support --- in comparing to using CATool. If you do want to build your
> own
> > > CA using openssl and to avoid the frustration causing your late night
> > > sleepless symtom, we find it important to build up the comfort level
on
> > > openssl, perl, and Linux, and definitely read up a lot from the
mailing
> > > list, before doing it.
> > >
> > > Bon
> > >
> > >
> > > On Mon, 2 Aug 2004, Terry Simons wrote:
> > >
> > > > Hi Scott,
> > > >
> > > > You *can* reuse a server certificate in another location later.
> > > >
> > > > The domain name has no real significance, except that you need to
> > > > verify it on the client to ensure that your clients are secure. The
> > > > domain can be whatever you like, and can exist on multiple
servers...
> > > > there is no inherent tie to any given server.
> > > >
> > > > That said, it is probably *not* a good idea to reuse certificates in
a
> > > > production environment, but it does work.
> > > >
> > > > Is the main reason why you are purchasing certificates to ensure
that
> > > > the client has a pre-installed CA certificate that will verify your
> > > > certificate, or for some other reason?
> > > >
> > > > If your main concern is the cost, you should probably consider
rolling
> > > > your own certificates.
> > > >
> > > > - Terry
> > > >
> > > > On Aug 2, 2004, at 8:59 PM, Scott Xiao - ANTlabs wrote:
> > > >
> > > > >
> > > > > Hi,
> > > > > Can any of you recommend one workable Radius(Radiator) server
> > > > > certificate
> > > > > besides Verisign?I want to buy a cheaper one,use it in 802.1x
PEAP
> > > > > WLAN
> > > > > hotspot.If I use it for domain "hostname.mydomain.com" ,can I use
> the
> > > > > same
> > > > > certificate in future if I deploy a same WLAN in another place
which
> > > > > will
> > > > > still use the same domain name?Thanks!
> > > > > Rgds
> > > > > Scott Xiao
> > > > > -----Original Message-----
> > > > > From: owner-radiator at open.com.au
> [mailto:owner-radiator at open.com.au]On
> > > > > Behalf Of Terry Simons
> > > > > Sent: Thursday, July 29, 2004 1:15 PM
> > > > > To: Christian Wiedmann
> > > > > Cc: radiator at open.com.au
> > > > > Subject: Re: (RADIATOR) SSL certificate for 802.1x
PEAP/aironet1100
> > > > > WLAN
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > On Jul 28, 2004, at 1:32 PM, Christian Wiedmann wrote:
> > > > >
> > > > >> As far as I know, the XP server extension OID is the one that is
> also
> > > > >> used for web servers. Therefore, a web server certificate should
> > > > >> work.
> > > > >
> > > > > This is true. There is one thing that people should probably be
> aware
> > > > > of, however.
> > > > >
> > > > > At the last Networld + Interop HotStage, we did some extensive
> testing
> > > > > with this and it was determined that what should probably happen
is
> to
> > > > > officially apply for some OIDs for 802.1X authentication servers.
> One
> > > > > of the HotStage members that is involved in the IETF and the IEEE
is
> > > > > pushing that a bit, so it could be the case that a "proper" OID
set
> > > > > will come out in the future. It could be a ways out, but I
> personally
> > > > > hope that it happens so we can have an "official" way of creating
> > > > > "802.1X authentication" certificates.
> > > > >
> > > > > - Terry
> > > > >
> > > > >>
> > > > >> For what it's worth, I've successfully used a Verisign web server
> > > > >> certificate
> > > > >> for PEAP authentication against Windows XP SP1. I think there's
a
> > > > >> good
> > > > >> chance a freessl certificate would work too.
> > > > >>
> > > > >> -Christian
> > > > >>
> > > > >> ref.:
> > > > >> http://support.microsoft.com/?kbid=814394
> > > > >> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.1.html
> > > > >> http://www.ietf.org/rfc/rfc2459.txt
> > > > >>
> > > > >> On Wed, 28 Jul 2004, Mike McCauley wrote:
> > > > >>
> > > > >>> Date: Wed, 28 Jul 2004 19:35:44 +1000
> > > > >>> From: Mike McCauley <mikem at open.com.au>
> > > > >>> To: scottxiao at antlabs.com
> > > > >>> Cc: Radiator <radiator at open.com.au>
> > > > >>> Subject: Re: (RADIATOR) SSL certificate for 802.1x
> PEAP/aironet1100
> > > > >>> WLAN
> > > > >>>
> > > > >>> Hi Scott,
> > > > >>>
> > > > >>>
> > > > >>> On Wednesday 28 July 2004 18:41, Scott Xiao - ANTlabs wrote:
> > > > >>>> Hi,Mike,
> > > > >>>> Thanks, so do you have any suggestion that I can purchase
> regarding
> > > > >>>> the
> > > > >>>> cert for radius server?Verisign?which type?If you have any
> > > > >>>> recommendation
> > > > >>>> that it works well on Radiator....Thanks
> > > > >>>
> > > > >>> Verisign offer certificates for radius servers, but I dont know
> the
> > > > >>> details of
> > > > >>> how to apply for one. They do work with Radiator. You should try
> to
> > > > >>> get it in
> > > > >>> PEM format.
> > > > >>>
> > > > >>> Cheers.
> > > > >>>
> > > > >>
> > > > >> --
> > > > >> Archive at http://www.open.com.au/archives/radiator/
> > > > >> Announcements on radiator-announce at open.com.au
> > > > >> To unsubscribe, email 'majordomo at open.com.au' with
> > > > >> 'unsubscribe radiator' in the body of the message.
> > > > >
> > > > > --
> > > > > Archive at http://www.open.com.au/archives/radiator/
> > > > > Announcements on radiator-announce at open.com.au
> > > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > > 'unsubscribe radiator' in the body of the message.
> > > > >
> > > > >
> > > >
> > > > --
> > > > Archive at http://www.open.com.au/archives/radiator/
> > > > Announcements on radiator-announce at open.com.au
> > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > 'unsubscribe radiator' in the body of the message.
> > > >
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> > >
> > >
> >
> >
>
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list