wpa_supplicant(eapol_test) with freeradius: error coming in TLS

Gaurav Kansal gkansal at velankani.com
Thu Jul 10 07:09:42 CEST 2008


Hi 

I made the following change and it worked for me.

In Makefile (/usr/local/etc/raddb/certs/), I passed the input files of that of
ca rather than server while creating the client certificate.

Regards,
Gaurav Kansal
 
Velankani Software Private Limited,
43, Electronics City,
Phase - 2, Hosur Road,
Bangalore - 560100
Phone : +91 80 4037 5300/01 Extn. # 5401
Direct: +91 80 4037 5401
Fax   : +91 80 4037 5303
Mobile: +91 98454 22400
gkansal at velankani.com
www.velankani.com
 
"Every Customer is a Reference Customer"


-----Original Message-----
From: freeradius-users-bounces+gkansal=velankani.com at lists.freeradius.org
[mailto:freeradius-users-bounces+gkansal=velankani.com at lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Wednesday, July 09, 2008 8:58 PM
To: FreeRadius users mailing list
Subject: Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS

Sergio Yébenes Moreno wrote:
> I think that PKI that comes with freeradius by default are shit

  Feel free to submit fixes.

  Most people don't have problems with the defaults.  Perhaps because
they realize that the defaults are for testing, and not for production use.

> (./bootstrap). I had the same problem. If you see the certification
> route in firefox, for example, you will see that client certificate are
> signed by SERVER CERTIFICATE and this by ca certificate.

  Which shouldn't be a problem.

> Probably you
> put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf

  There is no configuration entry called 'ca_cert'.

> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate
> --> verify error:num=20:unable to get local issuer certificate
> 
>  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca)
> 
> , and should be server.pem, or make your own ca, that signs clients and
> servers certificates.

  The default configuration works.  Perhaps you could try explaining why
you think it doesn't, or why it's wrong.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list