LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

February 2010

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS February 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: WPA2 setup Certificate problems
From:	Mike Diggins <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Fri, 5 Feb 2010 15:15:13 -0500
Content-Type:	multipart/mixed
Parts/Attachments:	text/plain (4 kB) , mike_diggins.vcf (4 kB)

I made a little progress today. As I mentioned I was testing with a 
certificate that belonged to a different server and Windows WPA clients 
were not authenticating correctly. Turns out I didn't have the root and 
intermediate certificates installed correctly on my FreeRadius Server. 
After fixing that, Windows is now working.

-Mike


On 05/02/2010 12:46 PM, Mark Duling wrote:
> I don't think a cert for another host would work because the cert has the
> host's dns name embedded in it so it can check to see if the host is being
> spoofed.  So if you are using a cert from another host it should fail to
> validate.  I am not clear on how the setup should be for redundant radius
> servers.  I presume that each has it's own cert and your NAS (your wireless
> controller or whatever) just lists both of them (and Windows has both in the
> "connect to these servers" box) and if the NAS sees one is unreachable then
> it tries the other one.  But I've not actually done this so I could be
> wrong.
>
> Mark
>
>
> On 2/4/10 10:25 AM, "Mike Diggins"<[log in to unmask]>  wrote:
>
>> Thanks. One other thing I didn't understand is if the certificate had to
>> be for the radius server host itself (i.e. certificate name matches the
>> radius server name), or can I use the same certificate on both my radius
>> servers? Right now I'm experimenting with a certificate that is from a
>> different server. In my Windows settings I select the validate
>> certificate option, type in the common name from the certificate into
>> the "Connect to these servers" field, then select the Trusted Root
>> Certification Authority that matches the cert. That isn't working though.
>>
>> -Mike
>>
>>
>> On 04/02/2010 1:06 PM, Mark Duling wrote:
>>> Mike,
>>>
>>> The problem is a general problem and not unique to FreeRadius.  We had the
>>> same problem for Windows (and not with Mac) with another radius vendor
>>> (radiator) but we were able to work around it easily because we use an
>>> installation wizard called XpressConnect from Cloudpath that automates
>>> making wireless settings.  What you need to do is check the "validate server
>>> certificate" box in the win wireless setup and then in the "Connect to these
>>> servers" check box immediately below enter in the radius hostname.
>>>
>>> I had done some research at the time and satisfied myself that there wasn't
>>> anything else I could do, but I can't remember all the details now and I
>>> don't recall hearing about "XP Extensions" for certs at the time FWIW.
>>>
>>> Mark
>>>
>>>
>>>
>>> On 2/4/10 9:26 AM, "Mike Diggins"<[log in to unmask]>   wrote:
>>>
>>>> I saw that but wasn't sure if it was a general problem or a FreeRadius
>>>> specific problem. Has anyone else had to obtain a "special" certificate
>>>> to make Windows WPA work? I have a feeling I'm going to get a blank
>>>> stare if I ask for that ;)
>>>>
>>>> -Mike
>>>>
>>>> On 04/02/2010 12:12 PM, Bruce Hudson wrote:
>>>>>> Slightly off topic, but I'm trying to configure FreeRadius V2 to work
>>>>>> with the Cisco Wireless Lan Controllers using WPA2. I'm running into
>>>>>> trouble with Windows clients. If I configure them NOT to verify the
>>>>>> certificate from the Radius Server, it connects. As soon as I configure
>>>>>> the "Verify Certificate" option, it fails. The Diagnostic seems to
>>>>>> indicate that it doesn't trust the certificate from the Radius Server,
>>>>>> which is a CA signed Verisign cert. A Mac client presents the
>>>>>> certificate on login, and I can either accept it or not. Windows isn't
>>>>>> doing that, it just fails.
>>>>>
>>>>>        The README file in FreeRadius certs directory includes the following
>>>>> statement:
>>>>>
>>>>>      The Microsoft "XP Extensions" will be automatically
>>>>> included in the server certificate.  Without those
>>>>> extensions Windows clients will refuse to authenticate
>>>>> to FreeRADIUS.
>>>>>
>>>>> I would guess that the certificate you got from Verisign does not include
>>>>> the extensions. If you figure out how to get them, please let me know.
>>>>> Dealing through our local certificate maintainer, I never could get an
>>>>> answer (or clear indication they knew what I was asking for).
>>>>> --
>>>>> Bruce A. Hudson    | [log in to unmask]
>>>>> ITS, Networks and Systems  |
>>>>> Dalhousie University   |
>>>>> Halifax, Nova Scotia, Canada  | (902) 494-3405

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU