On 4 Dec 2015, at 17:24, Dennis Xu <dxu@uoguelph.ca> wrote:
I have listed all root and intermediate CAs in the eap file:
You're using confusing terminology. 'client side' certificate validation refers to the client validating the server certificate, not validating the client's certificate. I honestly have no idea what you mean, please clarify your requirements using the correct terminology.
certificate_file = ${certdir}/ThawteCert.cer
# Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # ca_file = ${cadir}/SSL_PrimaryCA.pem ca_file = ${cadir}/SSL_SecondaryCA.pem ca_file = ${cadir}/thawte_Premium_Server_CA.pem
The server certificate and its configuration should be ok, otherwise the user authentication would fail as well.
Well that's wrong, the certificates must be concatenated into a single file. Nice syntax you've invented there, it's certainly not supported or one that works. -- Alan D any issues with throwing a validation error unless a CONF_PAIR is marked up with PW_TYPE_MULTI?
If the server is trying to valid client certificate, it will fail for sure as there is no certificate on clients and I don't think that is required for PEAP.
It's not, and the server doesn't explicitly request a client certificate for PEAP. That only happens for EAP-TLS. If the supplicant is presenting a certificate it's probably some snake oil cert that Microsoft auto generates, or something provided via AD. I'm fairly certain the OpenSSL API doesn't include an option to ignore client certificates if they're presented. It assumes no TLS peer would be so broken as to present a certificate it didn't want to use as part of authenticating itself. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2