My freeradius version is 2.1.1. When I config eap-tls with crl and one level root certificate,it's work normally. But when the ca is two level, the root ca is for signing the second level CA certificate , and the second level CA is for signing user certificates and crls.It's mean the root ca certificate is self-signed,but the second level ca certificate is not .How can I config ? I got the error message below: [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0477], Certificate --> verify error:num=3:unable to get certificate CRL [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
This means that you haven't imported the bundle onto the client.
# Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. CA_file = ${cadir}/ca.pem
ca.pem should also contain a certificate bundle. Ivan Kalik Kalik Informatika ISP