A.L.M.Buxey@lboro.ac.uk writes:
Hi,
I have configured and working wifi with eap-tls authentication. I want to use another root ca, so I did the following steps.
yep - but if you are making new CAs and addign them to clients, you ALSO have to re-configure your FreeRADIUS server to use that new CA. you can see in your logs:
Sat Aug 22 12:05:05 2015 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [selen.kjonca] (from client ni port 2 cli 00-08-22-4F-62-54) Sat Aug 22 12:05:05 2015 : Info: Using Post-Auth-Type REJECT
(and plenty of other 'Unknown CA' messages)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have copied new ca file to CA_path, and done c_rehash. What else should I do? BTW. excerpt from my eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = [.....] private_key_file = [....] certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem dh_file = /etc/ssl/dh.pem random_file = /dev/urandom CA_path = ${cadir} check_cert_cn = %{User-Name} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" [....] -- http://wolnelektury.pl/wesprzyj/teraz/ This fortune intentionally not included.