Hello Jim,
We have a similar setup with our freeradius server (bundled server +
intermediate certificates with a separate root certificate). Like
yourself, I thought testing this would be easier with a Windows laptop
and I used the same options within the PEAP dialogue.
However, with these options enabled, the laptop constantly fails
authentication and keeps requesting login credentials from the user. The
freeradius log shows the following lines;
Error: TLS Alert read:fatal:access denied
Info: rlm_eap_peap: No data inside of the tunnel.
I took this to mean that Windows is refusing to accept the certificate
based on a validation check (since connecting works fine without the
"validate server certificate" option). I assumed this was due to Windows
requiring an additional object identifier in the form of an extended key
within the certificate. Microsoft explains this here;
http://support.microsoft.com/kb/814394.
My question is, did you hit this problem and if so, how did you overcome it?
Many thanks,
Tom Griffin
[log in to unmask] wrote:
> Hi Alex,
>
> Not sure about Radiator, but we have Windows Mobile 2005 and 2006
> connecting OK using WPA/TKIP/PEAP/MSCHAPv2 with a freeradius server and
> offer the following notes in case they help.
>
> First, we do get the error message relating to client certificates, but
> as we are using PEAP/MSCHAPv2 we shouldn't need a client certificate -
> just click OK and it goes away...
>
> The main problem we did have was that Windows Mobile 2005 forces server
> certificate validation (unless you're willing to do something drastic
> like hack the registry). The UKERNA TLS server certificate is fine for
> this, but you also need the intermediate CA certificate (format
> sureserverEDU.pem for freeradius) and the root CA certificate
> (ct_root.pem) to configure the radius server - the email with your
> server certificate has links for these in different formats to suit your
> platform.
>
> The freeradius configuration files only allow us to specify the root
> certificate and the server certificate. We therefore needed a single
> file that bundles both the server certificate and the intermediate
> certificate together for use in the freeradius configuration eg. on a
> linux setup use the command:
>
> cat server_cert.pem sureserverEDU.pem > server_bundle.pem
>
> The Windows Mobile client should trust the root CA certificate by
> default, and with freeradius configured to offer it the intermediate
> certificate in this way the PDA should now trust the server and make a
> connection.
>
> Checking/debugging this setup can be easier using a laptop - keep the
> 'Validate Server Certificate' box checked on the "Protected EAP
> properties" dialog and check the GTE Cyber Trust Global Root box in the
> list of root CA's.
>
> Hope this is of some use.
>
> Jim Stanton
> Canterbury Christ Church University
>
> -----Original Message-----
> From: Wireless Issues in the JANET community
> [mailto:[log in to unmask]] On Behalf Of Alex Sharaz
> Sent: 29 November 2007 13:07
> To: [log in to unmask]
> Subject: Windows mobile connectivity problems
>
> Chaps,
>
>
>
> We are currently rolling out our new Trapeze networks wireless service
> round the campus. Radius authentication is provided by a Radiator 3.17.1
> hardware load balanced solution. Server certificate is a UKRENA
> sureserverEDU beast
>
> Everything works just fine for windoze laptops, OS X systems and older
> windows mobile 2003 PDAs running the Odyssey client. However, any
> attempt to connect using Windows mobile 2005 or 2006 fails with an error
> message saying that a client certificate is required.
>
>
>
> So ...
>
>
>
> Is anyone out there providing wireless access for WM 2006 ?
>
>
>
>
>
> Was there anything specific you had to do to get it to work
>
>
>
> Alex
>
>
--
Tom Griffin
Data Network Administrator
The University of Sheffield
Corporate Information & Computing Services
285 Glossop Road, Sheffield, S10 2HB
e: [log in to unmask]
t: (0114) 222 3013
|