Re: PEAP based 802.1x LAN authentication

From: Rui Francisco (francisco_rui_at_clix.pt)
Date: 04/07/05

  • Next message: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication" 
    Date: Wed, 06 Apr 2005 23:20:54 +0100
To: Rodrigo Blanco <rodrigo.blanco.r@gmail.com>

    Hi,

    You have to generate the certificate with eku extension,

    openssl ca –extensions eku –out certificate.pem –infiles cert-request.pem

    --rf

    Rodrigo Blanco wrote:
    > Hello list,
    >
    > I am currently trying to configure an Active Directory (w2K server)
    > both for windows auth and also as RADIUS server (IAS) for LAN 802.1x
    > authentication. I have successfully tried 802.1x with auth methods
    > such as PAP, CHAP... and now am trying to move to PEAP so I can have
    > joint AD/802.1x auth. with a single logon.
    >
    > According to http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx
    > I should install MS CA and generate a certificate for the win2K server
    > acting as AD/IAS.
    >
    > I do not want to use this CA, but openssl instead (XCA, in fact). With
    > this, I have created a certificate with key usage = Server auth and
    > installed both the CA certificate and this certificate through the
    > browser.
    >
    > When I try to configure PEAP in the IAS Dial-in profile, I get an
    > error message stating: "A certificate could not be found that can be
    > used with this Extensible Authentication Protocol". I think some key
    > usage or extended key usage attributes must be missing, or that I have
    > created / installed the certificate wrong, but did not find the
    > problem.
    >
    > Any help or ideas would be more than welcome.
    >
    > Thanks in advance,
    > Rodrigo.
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------
    >
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"

    Relevant Pages

    • 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
      ... OpenSSL-based UNIX SSL client and server and a Windows Server 2003 ... Standard Edition with Certificate Services for the CA. ... The OpenSSL generated ones look like, ... X509v3 Extended Key Usage: ...
      (microsoft.public.windows.server.security)
    • Re: 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
      ... Could you please post a test PKCS#10 base 64 encoded request that is failing? ... Standard Edition with Certificate Services for the CA. ... X509v3 Extended Key Usage: ... all regular key usage flags and just have the extended flags, ...
      (microsoft.public.windows.server.security)
    • Re: PKI - CA setup key usage problem
      ... Use http://support.microsoft.com/kb/888180 It explains how the Key Usage options are built ... For the AKI, I would recommend leaving the default of the thumbprint of the issuing CA certificate rather than the serial number and issuer combination, as it causes it is better for building certificate chains in environments where certificate renewals have taken place IMHO. ... Signature, Certificate Signing, Off-line CRL Signing, CRL Signing ". ... certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL ...
      (microsoft.public.windows.server.security)
    • RE: PEAP based 802.1x LAN authentication
      ... We are using MS CA with IAS and only enhanced key usage listed is server ... PEAP based 802.1x LAN authentication ... I should install MS CA and generate a certificate for the win2K server ...
      (Focus-Microsoft)
    • key usage question
      ... According to their "Key usage" property, the first one is for "Digital ... (which is not intended for digital signing according to its KeyUsage ... Do I need to check the certificate purpose before signing ... Can I consider these signatures as reliable, ...
      (microsoft.public.platformsdk.security)
    • Quantcast