[RADIATOR] WPA2 PEAP certificate (esp 3rd party)...

Heikki Vatiainen hvn at open.com.au
Wed Jul 27 16:44:31 CDT 2011


On 07/26/2011 08:02 PM, Jeff Kell wrote:

Hello Jeff,

> Has anyone been able to get a "valid, acceptable to Windows out-of-the-box" certificate
> for Radiator that allows seamless connections by Windows computers?
> 
> I've found bits and pieces, and references to voodoo with the openssl request and/or
> openssl patches to support the "extra" bits that Windows expects, but still haven't run
> across a nice clear answer.

See http://support.microsoft.com/kb/814394 and "Server certificate
requirements" chapter.

The extra bits in openssl configuration look like this:

[ req ]
...
req_extensions          = req_extensions

[req_extensions]
...
extendedKeyUsage       = serverAuth

This extension should satisfy the Windows builtin client. The OID is
1.3.6.1.5.5.7.3.1 and even if RFCs call this OID id-kp-serverAuth, some
tools may call it e.g. "TLS Web Server Authentication".

I have also noticed that the certificates from vendors such as Thawte
have this extension enabled by default.

> Has anyone done this successfully to connect without a supplicant / Xpressconnect / su1x
> / other client preparation?

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list