multiple server certificates in EAP-TLS

Aller Ventosa, Manuel manuel.aller at gedas.es
Wed Jun 6 16:29:23 CEST 2007


Hi 

Has got Anybody a freeradius server working  with multiple server
certificates?

I've tried the configuration explained below but freeradius returns error
messages. 

Module: Instantiated eap (eap1) 
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "/home/certificados/store/CAX-CA2"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
 tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/etc/raddb/certs/cacert.pem"
 tls: private_key_password = "test"
 tls: dh_file = "/etc/raddb/certs/dh"
 tls: random_file = "/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = yes
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap2: Module instantiation failed. 
radiusd.conf[1597] Unknown module "eap2".
radiusd.conf[1597] Failed to parse "eap2" entry.

Any help is good

Thanks

Manel

-------------------------------------------


   2. Re : Multiple server certificates in EAP-TLS or EAP-TTLS
      (Eshun Benjamin)
 

Message: 2
Date: Wed, 30 May 2007 05:22:30 +0000 (GMT)
From: Eshun Benjamin <bkeshun at yahoo.fr>
Subject: Re : Multiple server certificates in EAP-TLS or EAP-TTLS
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <796452.32991.qm at web26001.mail.ukl.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

There was a post on this by Mike;

You'll have to set up two instances of the EAP module.  The first  
instance will have the TLS submodule set up with the information for  
Cert1.pem (and the appropriate key and CA cert).  The second instance  
will have its TLS submodule set with the info for Cert2.pem.  It will  
look something like this:

modules {
   ...
   eap eap1 {
     ...
     tls {
       certificate = Cert1.pem
       ...
     }
   }
   eap eap2 {
     ...
     tls {
       certificate = Cert2.pem
       ...
     }
   }
}

authorize {
   ...
   eap1
}

authenticate {
   ...
   eap1
   eap2
}



Then, this is one of the few instances where you'll need to manually  
specify the Auth-Type in the users file, like this:

DEFAULT    Called-Station-ID = "00112233445566:SSID1", Auth-Type := eap1
DEFAULT    Called-Station-ID = "00112233445566:SSID2", Auth-Type := eap2

Or, better yet, use regexes (this should work):
DEFAULT Called-Station-ID =~ ":SSID1$", Auth-Type := eap1


 
================================================== 
Benjamin K. Eshun

DISCLAIMER: Este mensaje contiene información propietaria 
de la cual parte o toda puede contener información confidencial
o protegida legalmente. Esta exclusivamente destinado al 
usuario de destino.
Si, por un error de envio o transmisión, ha recibido este mensaje 
y usted no es el destinatario del mismo, por favor, notifique
de este hecho al remitente.
Si no es el destinatario final de este mensaje no debe usar, 
informar, distribuir, imprimir, copiar o difundir este mensaje 
bajo ningún medio.

---------

DISCLAIMER: This e-mail contains propietary information some 
or all of which may be legally protected. It is for the intended 
recipient only. If an addressing or transmission error has 
misdirected this e-mail, please notify the author by replying to
this e-mail. If you are not the intended recipient you must not use,
disclose, distribute, copy, print or relay this e-mail.

***************************************************************************




More information about the Freeradius-Users mailing list