From: Alan T. DeKok Date: Tue, 12 May 2009 08:59:26 +0000 (+0200) Subject: Added notes on certificate compatibility X-Git-Tag: release_2_1_7~154 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63ba4892177371446cd5077f45802a8b1113490a;p=thirdparty%2Ffreeradius-server.git Added notes on certificate compatibility --- diff --git a/doc/ChangeLog b/doc/ChangeLog index fc83094d5bf..5b2fc3db775 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -25,6 +25,8 @@ FreeRADIUS 2.1.6 Sun Jan 1 1:1:00 CEST 2009; , urgency=medium the "authorize", "authenticate", etc. processing sections are reloaded. Clients and "listen" sections are NOT reloaded. * Updated "radwatch" script to be more robust. See scripts/radwatch + * Added certificate compatibility notes in raddb/certs/README, + for compatibility with different operating systems. (i.e. Windows) Bug fixes * Minor changes to allow building without VQP. diff --git a/raddb/certs/README b/raddb/certs/README index 457bb12941f..13e302b82ac 100644 --- a/raddb/certs/README +++ b/raddb/certs/README @@ -157,3 +157,46 @@ $ openssl speed rsa2048 A 1GHz system will likely do 30 calculations/s. A 2Ghz system may do 50 calculations/s, or more. That number is also the number of authentications/s that can be done for EAP-TLS (or TTLS, or PEAP). + + + COMPATIBILITY + +The certificates created using this method are known to be compatible +with ALL operating systems. Some common issues are: + + - Windows requires certain OID's in the certificates. If it doesn't + see them, it will stop doing EAP. The most visibile effect is + that the client starts EAP, gets a few Access-Challenge packets, + and then a little while later re-starts EAP. If this happens, see + the FAQ, and the comments in raddb/eap.conf for how to fix it. + + - Windows requires the root certificates to be on the client PC. + If it doesn't have them, you will see the same issue as above. + + - Windows XP post SP2 has a bug where it has problems with + certificate chains. i.e. if the server certificate is an + intermediate one, and not a root one, then authentication will + silently fail, as above. + + - Some versions of Windows CE cannot handle 4K RSA certificates. + They will (again) silently fail, as above. + + - In none of these cases will Windows give the end user any + reasonable error message describing what went wrong. This leads + people to blame the RADIUS server. That blame is misplaced. + + - Certificate chains of more than 64K bytes are known to not work. + This is a problem in FreeRADIUS. However, most clients cannot + handle 64K certificate chains. Most Access Points will shut down + the EAP session after about 50 round trips, while 64K certificate + chains will take about 60 round trips. So don't use large + certificate chains. They will only work after everyone upgrade + everything in the network. + + - All other operating systems are known to work with EAP and + FreeRADIUS. This includes Linux, *BSD, Mac OS X, Solaris, + Symbian, along with all known embedded systems, phones, WiFi + devices, etc. + + - Someone needs to ask Microsoft to please stop making life hard for + their customers.