Alan DeKok escribió:
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the issuer of client cert using default certs. If default certs works and I don't need to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've tried several times. First, i need to use CA_file because i'm configuring eap-tls and radiusd won't parse eap.conf. Then I've tried: -cat ca.pem >>server.pem doesn't works (i think it's right if i want to use peap or similar, based on this paragraph of eap documentation) -CA_file = ${cadir}/ca.pem CA_file = ${cadir}/server.pem because you permit a list of trusted ca (although server.pem isn't a ca cert) -cp server.pem root.pem cat ca.pem >>root.pem CA_file = ${cadir}/root.pem works, but i think then I can't manage the crl. Then: a) i'm a little stupid (I don't know any other term) b) i have no idea about english language (many probabilities) c) a) and b) and bad manners (but trying to be a nice boy)