<HTML><BODY>Dear Jouni,<BR><BR>Thanks for your comments. Please see my reply below.<BR><BR>Regards,<BR><BR>JP<BR>
<BLOCKQUOTE dir=ltr style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">--------- Original Message --------<BR>From: Jouni Malinen <JKMALINE@CC.HUT.FI><BR>To: <BR>Cc: hostap@shmoo.com, eyen@pegasuswirelesscorp.com<BR>Subject: Re: wpa_supplicant interoperability with IAS<BR>Date: 05/19/2006 22:52<BR><BR><FONT style="FONT-SIZE: 10.8pt; FONT-FAMILY: Arial, Helvetica, sans-serif">On Wed, May 17, 2006 at 01:48:28PM -0700, JP Dong wrote:<BR><BR>> Hi all,We are trying to test the interoperability of wpa_supplicant with IAS radius server using EAP-TLS. We used IAS to&nbsp;create the certificates for CA and a user, but we are not able to obtain the key file for the user since it is required by wpa_supplicant configuration file (or not?); however, the key and certificate for CA can be obtained. In the wpa_supplicant, the following fields are needed:ca_cer_fileprivate_cer_fileprivate_key_fileWe just wondered whether all these three files are required; if so, how they can be obtained using IAS (or if conversion is needed, how the conversion&nbsp;can be done?) Any hints or suggestions would be highly appreciated.Thanks and best,JP<BR><BR>IAS does not create certificates as far as I know. I would assume you<BR>are using IAS as the RADIUS authentication server and Microsoft CA<BR>service as the tool for enrolling certificates.<BR><BR>[JP] you are right, and I should say Microsoft CA services instead.<BR><BR>What made you think the user key cannot be obtained? I have enrolled<BR>client certificates (including private key generation) successfully with<BR>Firefox from Microsoft CA. These work fine with wpa_supplicant. Another<BR>option is to enroll certificates (e.g., with WinXP) and export them as<BR>PKCS#12(PFX) file.<BR><BR>[JP] we tried the "export" feature on Windows 2000 server, and only p7b (PKCS#7) file for CA but not for the user certificate can be saved. We don't know why. <BR>What Microsoft CA are you using, on Windows 2000 server or 2003 server? When we tried to export the user certificate (still on the server machine), the "private key" option is always disabled. => any suggestions?<BR><BR>EAP-TLS requires user private key and certificate and a trusted CA<BR>certificate. These do not need to be separate files, but these<BR>keys/certificates are needed.<BR>[JP] This is understood since the comments in the sample wpa_supplicant configuration file explains this clearly.<BR><BR>-- <BR>Jouni Malinen PGP id EFC895FA<BR>.</FONT> </DIV></BLOCKQUOTE></BODY></HTML>
<pre>
_________________________________________________________
Message sent using Winmail Mail Server 4.
</pre>