John, I changed the sequence in step b) of "SERVER-SIDE" as :: su - rm /etc/raddb/modules/dhcp_sqlippool cd /etc/raddb/certs make destroycerts make make client cp client.p12 /home/ajay cp ca.pem /home/ajay chmod 0644 /home/ajay/client.p12 chmod 0644 /home/ajay/ca.pem chown ajay.ajay /home/ajay/client.p12 chown ajay.ajay /home/ajay/ca.pem However, I get the exact same earlier dreaded logs :( On Wed, Jan 9, 2013 at 8:29 AM, John Dennis <jdennis@redhat.com> wrote:
On 01/08/2013 03:53 PM, Ajay Garg wrote:
On Tue, Jan 8, 2013 at 6:45 PM, John Dennis <jdennis@redhat.com <mailto:jdennis@redhat.com>> wrote:
On 01/08/2013 05:10 AM, Ajay Garg wrote:
Could you please specify the order of scripts to be run, so that proper certificates may be generated - both for the server, and the client? :P
You were given the answer. It's not just a matter of running the scripts it also requires knowing what the scripts output and how to configure *both* the client and the server with the script output.
You've never explained what you're doing in any detail, especially with regard to where you're generating the client cert. In a previous email I explained what the server needs and what the client needs. Now you're going to have to put that information to use. You really do have to invest the energy into learning how the pieces fit together.
Ok.. so here goes what I have been wanting to accomplish :P
ROUTER-SIDE :: ===========
a) Configure the router to do WPA/WPA2-Enterprise authentication.
b) The authentication is to be done via a freeradius-server.
c) I connect a wired-cable between the router and the freeradius-server-machine, to have a physical medium via which the router and the server may talk.
SERVER-SIDE :: ===========
a) Freeradius-server is running on Fedora-17 (freeradius-2.2.0-0.fc17.i686)
b) After installing freeradius, the certificates are generated via (on Fedora-17 machine) ::
su - rm /etc/raddb/modules/dhcp_** sqlippool cd /etc/raddb/certs make destroycerts make make client chmod 0644 client.p12 chmod 0644 ca.pem
c) Now, the freeradius is started on the Fedora-17 machine as ::
sudo /usr/sbin/radiusd -X &
Server runs fine.
CLIENT-SIDE :: ===========
a) THE SAME FEDORA-17 MACHINE ACTS AS THE CLIENT TOO :)
b) Now, from the gnome-panel applet, I try connecting to the WPA/WPA-2 Enterprise network, by setting the following settings ::
Wireless Security : WPA/WPA2-Enterprise Authentication : TLS Identity : Anonymous User Certificate : /etc/raddb/certs/client.p12 CA Certificate : /etc/raddb/certs/ca.pem Private Key : /etc/raddb/certs/client.p12 Private Key Password : whatever
c) I click the "Connect" button.....
and then the dreaded logs happen :(
Thank you, that is a much clearer explanation.
The first thing I notice is you're pointing the client to files in a directory owned by the server. Everything from /etc/raddb and below is readable only by root:radiusd for security reasons (you don't want to expose the configuration of an authentication server to the world).
I suspect the code which reads the client cert files is running under your uid and is not a process with root privileges thus it can't read the cert files. I would try copying the client cert files to an alternate location, reset their permissions and try again.
-- John Dennis <jdennis@redhat.com>
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
-- Regards, Ajay