Hello, On 18.04.18 17:03, Nick Howitt wrote:
[root@7 certs]# rpm -q openssl openssl-1.0.2k-8.el7.x86_64
I don't have wpa_supplicant installed on the system so no wpa_supplicant.conf. In order to get eapol_test I pulled down the latest 2.6 sources and ran make following the instructions at http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/. I was under the impression that eapol_test was not compiled in the distro, but I've just been checking and I think I have been incorrectly informed. I'll install wpa_supplicant and test again.
FWIW it is not eapol_test which is giving the certificate error but "radiusd -X".
BTW you only got the key because it is in the pem file so I was not sure if you wanted the whole file or just the certificate part
Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "radiusd -X" still errors with the Centos wpa_supplicant-2.6-5.el7_4.1.x86_64 installed with a default wpa_supplicant.conf: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel
Now that's something to investigate. AFAIK, FreeRADIUS sends the certificate it has in config to the client. It doesn't check anything special (beyond well-formedness of the PEM file). The error you are seeing in freeradius -X is most likely because FreeRADIUS /receives/ this error message from the /client/. If it were a genuine error inside FreeRADIUS, things wouldn't work for Windows clients. So you should probably take a very close look at eapol_test's debug output. If it is the one rejecting the incoming TLS server cert, then it will print out something. If you're unlucky, it will just print the same error message it is afterwards also sending to the server, but with a bit of luck there is a bit more detail on its side. You aren't by any chance doing this work for an eduroam participant? If so, our compliance check tools could be unleashed on the IdP FreeRADIUS; I'd only need to know the realm then. Also, eapol_test is part of the wpa_supplicant suite (but indeed not compiled by all distros). So your self-compiled version was just as good as the distro-supplied you now have. And the wpa_supplicant.conf is also being considered when using eapol_test. I'm surprised you get an EAP conversation going with a config file that has only two lines? You are relying on plentiful of defaults there. You would usually need to configure at least a username to use for the login attempt? Where do you supply that? Greetings, Stefan Winter Greetings, Stefan Winter