id-kp-eapOverLAN extended key usage

alexsatyork · May 8, 2014, 2:11pm

Hi,

At the university of York, we obtain our Comodo SSL certs through UKERNA, the governing body of the UK academic network. I recently obtained one for an ARUBA CLEARPASS server for use in RADIUS authentication. Having installed the certificate with the appropriate intermediate and root CAs I get the following error message:-

There are errors with the server certificate configuration that will prevent devices from provisioning or authenticating:
clearpass.york.ac.uk: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.

The support staff at UKERNA haven’t been able to help with this and suggested I contact Comodo. Do I have to do something in the openssl config file before generating my CSR in order to get the above extended key? Should it be there by default?

Rgds
Alex

salvatoreg · May 8, 2014, 2:30pm

We presently do not support the EKU that you’re looking for.

Furthermore, according to Microsoft [ Connections to Organization Networks with Multiple RADIUS Servers | Microsoft Learn ], you should use a private CA:

You must deploy a private CA rather than obtain server certificates from a third party public CA. In addition, the certificate template that you use to issue the certificates must contain the RADIUS EKU extension. This extension is id-kp-eapOverLAN and the object identifier (OID) for this EKU is 1.3.6.1.5.5.7.3.14. This EKU extension can only be configured on a private CA and is used by Windows 8 to determine whether a private CA issued the certificate.

xheepx · March 26, 2015, 2:02pm

Hi,
do you still dont support: id-kp-eapOverLAN EKU?