I'm using FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008 at 15:20:55 I got back to testing allowing only PEAP-GTC on one virtual server. I used the included self-signed certs this time, but as I suspected, the results were the same whenever I comment out CA_file: Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.key" certificate_file = "/etc/raddb/certs/server-ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) rlm_eap_tls: Error reading Trusted root CA list (null) rlm_eap: Failed to initialize type tls I think we might be trying the wrong thing. Although the comments together say: # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/wifiserver.pem # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. #CA_file = ${cadir}/wifiserver.pem The first comment might be giving you just another place to provide your CA cert, whereas the second comment clearly talks about not permiting EAP-TLS. I say this, because I don't see why the CA would be required at all if EAP-TLS will be denied. All you need is a server cert and private key. In PEAP, the client is the one who needs the CA cert, if he wants to verify the server cert, but even that is optional. Anyway, can we say now that not providing a CA_file doesn't work? If there's something else I should test, just mention it. Thanks. On Thu, 13 Mar 2008 11:58:48 +0100, "Alan DeKok" <aland@deployingradius.com> said:
usawebbox@fastmail.fm wrote:
Except that my server cert does contain a CA cert. I'm not 100% sure it's sufficient, because it was issued from an intermediate CA (it needs to be the signer(s) not the issuer, right?), so I went to another CA got a webserver cert in pem format directly from the root. Downloaded the root CA cert in pem format and appended them.... same error:
You generally want to use self-signed certs for 802.1x. See raddb/certs/README
Do we know this mode is working (No CA_File, but certificate file with server cert + ca cert)? In any case, I'd be willing to experiment more.
It should work in 2.0.2.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --
usawebbox@fastmail.fm -- http://www.fastmail.fm - I mean, what is it about a decent email service?