Failure with "TLS authentication" and "Freeradius on Fefora-17"
jdennis at redhat.com
Mon Jan 7 19:44:50 CET 2013
On 01/07/2013 12:18 PM, Ajay Garg wrote:
> Thanks Alan, and A.L.M.
> I too thought the same looking at the "decrypt failure messages".
> As I told in my startup-mail on this thread, the procedure ::
> su -
> cd /etc/raddb/certs
> make clean
> make client.pem
> makes TLS-authentication works perfectly fine for Fedora-14-freeradius,
> but not for Fedora-17-freeradius (and I am talking of the vanilla
> "gnome-way" of connecting, as is evident from the snapshot).
First of all there is no such version as Fedora-XX-freeradius, there is
however the version of freeradius which happens to be installed. At
different points in time Fedora releases will have had different
versions of freeradius available. You can find out which version you
have installed via either
rpm -q freeradius
yum innfo freeradius
It's a little hard to tell from you're series of steps but I suspect
you're not using a client cert signed by the CA you've configured.
Or the issuing signer (the CA) cert has expired. We deliberately set the
validity period to a very short value (60 days) on the *temporary* certs
which get created during the freeradius server install to force you to
pay attention to the fact these are temporary certs created during
install to play around with and are not appropriate for deployment (at
least not without editing the configuration files to set the values to
Thus I would check the following:
1) Is the CA cert still valid?
2) Is the CA cert used to sign the client cert the same one in the CA
cert bundle the server is using.
You could go back to square one if the above does not help you.
1) Clean all the certs in /etc/raddb/certs by cd'ing to that directory
and running "make destroycerts"
2) Then run "make client", that should recreate the *both* the CA cert
and the server cert first, then it will create the client cert signed by
the new CA.
3) restart the server and and redeploy the client cert.
> Do certs need to be generated differently in Fedora-17 freeradius?
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Users