Hi List, I've successfully setup the following scenario: - Windows CA (Root-CA and Sub-CA) - Cisco WLAN Controller + APs - Windows 7 Domain Clients (+ Computer Certificates) - EAP-TLS Auth with certificates I created a small script to fetch the CRL from the CA and have it converted to PEM format: -- snip -- #!/bin/bash ID=$$ wget http://ca.host.name/CA.crl -O /tmp/CA.$ID.crl -q if [ $? -eq 0 ] then openssl crl -in /tmp/CA.$ID.crl -inform DER -out /etc/raddb/certs/crl.pem -outform PEM rm /tmp/CA.$ID.crl c_rehash /etc/raddb/certs/ > /dev/null fi -- snip -- c_reheash seems to work since I have the Symlinks in /etc/raddb/certs/. The relevant parameters in eap.conf are set: check_crl = yes CA_path = ${certdir}/ However, as long as check_crl is set to 'yes', the following happens when a client tries to connect: Tue Mar 8 13:09:48 2011 : Info: Found Auth-Type = EAP Tue Mar 8 13:09:48 2011 : Info: # Executing group from file /etc/raddb/sites-enabled/default Tue Mar 8 13:09:48 2011 : Info: +- entering group authenticate {...} Tue Mar 8 13:09:48 2011 : Info: [eap] Request found, released from the list Tue Mar 8 13:09:48 2011 : Info: [eap] EAP/tls Tue Mar 8 13:09:48 2011 : Info: [eap] processing type tls Tue Mar 8 13:09:48 2011 : Info: [tls] Authenticate Tue Mar 8 13:09:48 2011 : Info: [tls] processing EAP-TLS Tue Mar 8 13:09:48 2011 : Info: [tls] eaptls_verify returned 7 Tue Mar 8 13:09:48 2011 : Info: [tls] Done initial handshake Tue Mar 8 13:09:48 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 0a35], Certificate Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled critical CRL extension Tue Mar 8 13:09:48 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown Tue Mar 8 13:09:48 2011 : Error: TLS Alert write:fatal:certificate unknown Tue Mar 8 13:09:48 2011 : Error: TLS_accept: error in SSLv3 read client certificate B Tue Mar 8 13:09:48 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Tue Mar 8 13:09:48 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Mar 8 13:09:48 2011 : Debug: TLS receive handshake failed during operation Tue Mar 8 13:09:48 2011 : Info: [tls] eaptls_process returned 4 Tue Mar 8 13:09:48 2011 : Info: [eap] Handler failed in EAP/tls Tue Mar 8 13:09:48 2011 : Info: [eap] Failed in EAP select Tue Mar 8 13:09:48 2011 : Info: ++[eap] returns invalid Tue Mar 8 13:09:48 2011 : Info: Failed to authenticate the user. Tue Mar 8 13:09:48 2011 : Auth: Login incorrect (unhandled critical CRL extension): [host/CLIENT123.domain/<via Auth-Type = EAP>] (from client WLAN-TEST port 1 cli 00-24-d7-8a-53-cc) Tue Mar 8 13:09:48 2011 : Info: Using Post-Auth-Type Reject Tue Mar 8 13:09:48 2011 : Info: # Executing group from file /etc/raddb/sites-enabled/default Tue Mar 8 13:09:48 2011 : Info: +- entering group REJECT {...} Tue Mar 8 13:09:48 2011 : Info: [attr_filter.access_reject] expand: %{User-Name} -> host/CLIENT123.domain Tue Mar 8 13:09:48 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Mar 8 13:09:48 2011 : Info: ++[attr_filter.access_reject] returns updated Tue Mar 8 13:09:48 2011 : Info: Delaying reject of request 15 for 1 seconds Tue Mar 8 13:09:48 2011 : Debug: Going to the next request Tue Mar 8 13:09:48 2011 : Debug: Waking up in 0.9 seconds. Tue Mar 8 13:09:49 2011 : Info: Sending delayed reject for request 15 Sending Access-Reject of id 228 to 10.70.11.15 port 32768 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 When I disable CRL checks, everything works fine again. Does anybody have any experience with implementing Windows based CRLs in Freeradius? Radius Version is: radiusd: FreeRADIUS Version 2.1.10, for host i686-suse-linux-gnu, built on Mar 5 2011 at 17:06:42 running on SLES 11 (compiled from source as RPM package) Any kind of advice would be appreciated! -- Mit freundlichen Grüßen/With Kind Regards Rudolph Bott