EAP-TLS certificate

Alan DeKok aland at deployingradius.com
Sat Apr 5 08:49:35 CEST 2008


xia sihua wrote:
...
> CA_file = ${cadir}/ca.pem
> ....
> 
>   The supplicant I use TeraDot1x Tester from Spirent communication.
> ...
> Configuration:
...
> Root Certificate Filename: server.pem

  I think that should be "ca.pem".

>   rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA

  Yes, the client is telling you that it doesn't know anything about ca.pem.

> If I change Root Certificate Filename from server.pem to ca.pem, will
> come out following error.
> ....
>   eaptls_verify returned 11
>   rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
> TLS Alert read:fatal:bad certificate

  Ask the supplicant vendor why they don't like the certificate we provide.

> If I use those certificates provided by spirent, can pass. I donot know why?
> Any ideas?

  Print out the spirent certificates, and post the result here.  Maybe
there's some extra magic needed.

$ openssl x509 -text -in spirent.crt

  Alan DeKok.



More information about the Freeradius-Users mailing list