Multiple SSL CA Files

Michael Courtney michael.courtney at civicwifi.com
Wed Feb 14 22:09:58 CET 2007


Freeradius List,

I have Freeradius 1.1.3 running on a Fedora Core 6 box, and it works 
great in the current setup.

My question has to do with a configuration change that I'm having 
trouble implementing. Right now, I have an in-house CA Cert that was 
generated for our servers that sit behind a firewall. The Radius server 
connects to our LDAP box via a hole in the firewall over an SSL 
connection that was generated with our internal CA Cert.

I would like to have two SSL certs on the Radius box: one, for the 
internal connections to our servers, and two, an SSL cert that one can 
verify as a trusted Root Authority for the TTLS connections.

This is causing an issue right now on the server.

I have the following LDAP fields in radiusd.conf:

tls_cacertfile  = /etc/lfncerts/cacert.pem
tls_certfile    = /etc/lfncerts/ldap2_public_cert.pem
tls_keyfile     = /etc/lfncerts/ldap2_private_key.pem

I have the following fields in the eap.conf:

private_key_file = /etc/lfnnewcerts/radius.lawrencefreenet.org.key
certificate_file = /etc/lfnnewcerts/radius.lawrencefreenet.org.crt
CA_file = /etc/lfnnewcerts/rapidssl_01.cer

Here's the output in the logs:

Feb 14 12:47:26 radius kernel: audit(1171478846.538:8): avc:  denied  { 
read } for  pid=10837 comm="radiusd" 
name="radius.lawrencefreenet.org.crt" dev=dm-0 ino=1310741 
scontext=root:system_r:radiusd_t:s0 
tcontext=root:object_r:user_home_t:s0 tclass=file

As you can see, the CA_files are different, since they are signed by 
different certificate authorities. I have tried this configuration and 
777'ed each of the files to no avail.

Is the configuration I'm trying to implement possible? Any help that you 
can offer would be greatly appreciated!

Thanks for your time!

-Mike





More information about the Freeradius-Users mailing list