freeradius eap-ttls user/pass + cert

[grub3r]

Hi All,

Firstly I wanted to thank freeradius-devs for the tremendous job they are
doing.


And to the question itself:

I had been planning to configure freeradius to be able to authenticate users
by username/password from users-file.

1. I followed the readme-file under certs and made ca, server and client
certificates
MARK: README states that one has to delete index.txt and serial files, but
these are needed when creating new certificates, and have to be recreated
prior to generating new certificates!?

2. configured ttls/server cert password in eap.conf and everything worked
fine. Then I read somewhere that username/password authentication alone is
not secure as some information is passed in clear text?!

So I decided to add extra protection by using certificates in addition to
username/password. That's where problems started.
I added "EAP-TLS-Require-Client-Cert = Yes" in "authorize-section" the
default-site in sites-enabled.
(I also tried to add it to users-file, which didn't work, what does work is
DEFAULT EAP-TLS-Require-Client-Cert := Yes)

using Fedora 16 as client, I now had to use certificate, I added earlier
created client.pem, but server fails to authenticate with message "unknown
ca cert", I also tried to use ca.pem, but with negative result.

What could the problem be? Please don't reject the question by saying that
everything is documented or at least point to the right document.

I'll gladly post any config-files/logs on request.

regards, Dan. 

--
View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-eap-ttls-user-pass-cert-tp5507571p5507571.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.