<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title></title>
<style type="text/css">
<!--
body{margin-left:10px;margin-right:10px;margin-top:10px;margin-bottom:10px;}
-->
</style>
</head>
<body marginleft="10" marginright="10" margintop="10" marginbottom="10">
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Good afternoon John,</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Thank you for all of your assistance with this issue. As it turns out strace was the way to figure out what was happening.</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">When I ran strace with radiusd -X, I found the following line when it got to the point where it actually went searching for the CA cert.</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "# Executing group from file /usr"..., 71) = 71</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "+- entering group authenticate {"..., 37) = 37</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[eap] Request found, released fr"..., 44) = 44</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[eap] EAP/tls\n", 14) = 14</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[eap] processing type tls\n", 26) = 26</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[tls] Authenticate\n", 19) = 19</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[tls] processing EAP-TLS\n", 25) = 25</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[tls] eaptls_verify returned 7 \n", 32) = 32</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[tls] Done initial handshake\n", 29) = 29</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[tls] <<< TLS 1.0 Handshake [len"..., 57) = 57</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">stat("/usr/local/etc/raddb/certs/roots/certs.pem/c092a530.0", 0x7fffdac3eb20) = -1 ENOENT (No such file or directory)</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "--> verify error:num=20:unable t"..., 64) = 64</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[tls] >>> TLS 1.0 Alert [length "..., 58) = 58</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "TLS Alert write:fatal:unknown CA"..., 33) = 33</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, " TLS_accept: error in SSLv3 r"..., 57) = 57</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "rlm_eap: SSL error error:140890B"..., 99) = 99</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "SSL: SSL_read failed in a system"..., 63) = 63</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "TLS receive handshake failed dur"..., 46) = 46</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[tls] eaptls_process returned 4 "..., 33) = 33</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[eap] Handler failed in EAP/tls\n", 32) = 32</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">write(1, "[eap] Failed in EAP select\n", 27) = 27</font></div>
<br />
<br />
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">When I went back and looked at the CA_path line in my eap.conf, I found that I had misconfigured it in the first place to include the bundle name which obviously is very wrong, but that was me trying different things to make it work. What I also recognized right away was the hash value of the .0 file from when I found how to have openSSL accept the cert when doing -verify on it. As soon as I seen the hash value that it was looking for, I created the symbolic link to the certificate in my roots folder and tried again with great success. My FR server now authenticates user certificates from both my production server, aka new root, as well as its own user certs.</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Again, thank you for all your assistance in getting this to work. Hopefully when the real migration time comes down the line, implementation will go quickly and smoothly.</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Regards,</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Mitch</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Mitch Yackobeck, MCSE, MCSA, MCP, CCNA, CompTia Network+</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Network Systems Administrator</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Renfrew County District School Board</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">1270 Pembroke Street West</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Pembroke, ON K8A 4G4</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">Phone: (613) 735-0151 Ext. 2278</font></div>
<div align="left" style="text-align:left;"><font face="Arial" size="+1" color="#000000" style="font-family:Arial;font-size:14pt;color:#000000;">e-mail: <a href="mailto:yackobeckm@renfrew.edu.on.ca">yackobeckm@renfrew.edu.on.ca</a></font></div>
<br/>
</body>
</html>