Client certs with MSCHAPV2 in PEAP
Dave Huff
dbhuff at yahoo.com
Thu Feb 23 19:40:03 CET 2006
> -----Original Message-----
> From: aland at nitros9.org [mailto:aland at nitros9.org] On Behalf
> Of Alan DeKok
>
> "Dave Huff" <dbhuff at yahoo.com> wrote:
> > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal
> > certificate_unknown TLS Alert read:fatal:certificate unknown
>
> SSL is telling FreeRADIUS that the certificate sent by the
> client is bad.
That's what I thought too, but I configured the CA, server, and client certs
all on Openssl pretty much like
http://www.cisco.com/en/US/products/ps6379/products_configuration_guide_chap
ter09186a00805ac269.html
Windows is using the cert I installed from the linux box, at least I have a
choice in ProSET. If Windows overrides for some reason, I wouldn't
know...can I set a debug mode that would tell me?
>
> You're probably doing EAP-TLS where the server has one
> cert, and the client has cert signed by someone else
> entirely. For EAP-TLS to work, the client certs have to be
> signed by the server cert.
Signed by the server cert or by the CA cert? I have a CA that signed the
server and client certs, and the eap.conf file knows where server and CA
certs are.
Dan
>
> Alan DeKok.
>
More information about the Freeradius-Users
mailing list