Jeffrey Sewell wrote:
Thank you for your reply.
We are (with the exception of some prototype tests) going to be completely EAP-TLS.
Your answer brings me back to my original issue--the CA_path does not exist in the eap.conf file. If I add it, it doesn't seem to work (on 1.1.4).
Hm, here it does work. Have you run c_rehash in that directory? Are the files and the directory readable by the radiusd process? Did you choose to run radiusd under some other user than root?
Just adding additional certs to the CA_file seems to work, but I'd prefer to have proper signed (c_reshash) sym-links.
??? This is not a signature, its some very short fingerprint of the SubjectDN of the CA cert. Have you set verify_depth = 0 for a start? You should set it probably to the lowest positive integer (except 0) that your CA hierachie setup and your client certs are working with. Have you set check_crl = no to test if the CA certificate setup is working. Later on you should set it to yes for obvious reasons and get uptodate CRLs. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007 Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/