If there are no certs on the client machine, Linksys fills the cert in with "Trust Any", so I assume it may be attempting with a blank? cert or another cert on the machine, such as VeriSign or the like.So this client is attempting to authenticate, I believe, with other certs on its machine because the radius log looks like below:
Tue Oct 10 11:16:16 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Tue Oct 10 11:16:16 2006 : Error: TLS Alert read:fatal:unknown CATue Oct 10 11:16:16 2006 : Error: TLS_accept:failed in SSLv3 read client certificate A Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
I am not a FreeRadius expert so I may be misinterpreting the logs. Thanks.
Travis----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "devel" <devel@oberonwireless.com>; "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Sent: Tuesday, October 10, 2006 10:27 AM Subject: Re: disable FreeRadius checking of client certs
"devel" <devel@oberonwireless.com> wrote:Is it possible to disable FreeRadius's checking of client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance over-head. Thanks.Huh? Client certs are used for PEAP only when you deploy client certs to the end-user machines. Once they're deployed, they should really be checked. Perhasp you can explain why you've deployed client certs, but now don't want to use them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog