<meta charset="utf-8">Frames and TPG had a play on a Windows XP laptop earlier (version unknown) and it seems to suggest that it cannot find a certificate.<div><br></div><div>Think we'll need to get a new CSR generated for <a href="http://mussel.ucc.gu.uwa.edu.au">mussel.ucc.gu.uwa.edu.au</a> with the XP Extensions (outlined here -> <a href="http://www.linuxjournal.com/article/8095?page=0,1">http://www.linuxjournal.com/article/8095?page=0,1</a>)</div>
<meta charset="utf-8"><div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 13px; "><br></span></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 13px; ">[ xpclient_ext ]</span></div><div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 13px; ">extendedKeyUsage = 1.3.6.1.5.5.7.3.2</span></div>
<div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 13px; "><p>[ xpserver_ext ]<br>extendedKeyUsage = 1.3.6.1.5.5.7.3.1</p></span></div></blockquote><div>Going to drop a line to Gareth at ITS and see if they know much about this given the work that's been going on with Eduroam (though I think AARNet may have handled more of the setup there).</div>
<div><br></div><div>Matt</div><div><br></div><div>--<br clear="all">Matt Didcoe [MRD]</div><div>President / Wheel member</div><div>University Computer Club</div><div><a href="mailto:mattdidcoe@ucc.gu.uwa.edu.au">mattdidcoe@ucc.gu.uwa.edu.au</a><br>
<br><br><div class="gmail_quote">On Mon, Apr 12, 2010 at 11:43 PM, Patrick Coleman <span dir="ltr"><<a href="mailto:blinken@gmail.com">blinken@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Mon, Apr 12, 2010 at 6:44 PM, David Adam <<a href="mailto:zanchey@ucc.gu.uwa.edu.au">zanchey@ucc.gu.uwa.edu.au</a>> wrote:<br>
><br>
> [MRD] suggested that the certificate confirmation prompt might be from the<br>
> hostname of the RADIUS server (currently mussel) not matching the name on<br>
> the cert (secure.ucc). I'm not sure about this; my understanding of the<br>
> WPA2 protocol doesn't extend to how the client knows what authentication<br>
> server is being used. Next time I'm in the clubroom, hopefully with a more<br>
> useful device than the iPhone, I might try changing that around.<br>
<br>
</div>>From my (limited) knowledge, the TLS tunnel is established back to the<br>
RADIUS server, so it's likely. Freeradius is pretty verbose in debug<br>
mode, perhaps it'll tell you? (PEAP/MS-CHAPv2 is MS-CHAPv2 inside EAP<br>
inside TLS inside EAP inside RADIUS, proving that when one standard<br>
isn't secure enough you should add another four layers).<br>
<div class="im"><br>
> In any case, apparently[1] a stock SSL certificate will not work on<br>
> Windows XP without a specific extension. If someone with a Windows<br>
> wireless client could test it out and let me know I would appreciate it,<br>
> although I'll try and bring my laptop in.<br>
<br>
</div>Whoever does this, make sure you're running SP3 or I promise you will<br>
actually go insane.<br>
<br>
-Patrick<br>
<font color="#888888"><br>
--<br>
<a href="http://www.labyrinthdata.net.au" target="_blank">http://www.labyrinthdata.net.au</a> - WA Backup, Web and VPS Hosting<br>
</font></blockquote></div><br></div>