virtual server configuration
Pardon the non-threaded replies. I'll have to find a client that works with the list.
I'm still having trouble with the eap_gtc section, because when I remove TLS or empty it or try to return reject, the server won't start. Is removing the section the right way to not support an eap type on one virtual server?
Yes. Could you post the error?
I should have done that. When TLS is empty (i.e. TLS {}): rlm_eap: SSL error error:0200100E:system library:fopen:Bad address rlm_eap_tls: Error reading certificate file (null) rlm_eap: Failed to initialize type tls When TLS is removed: rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first. Or, if TTLS is also removed: rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. This makes sense, as I'll need my server cert for PEAP. If those certs have to be defined in the TLS block, what is the right way to disable TLS in this case, but still have PEAP working? I tried deleting the CA_file, so I wouldn't be able to verify user certs, but it's required. Anyway, I don't want to offer TLS and fail it, I want to NAK it on server2. -- usawebbox@fastmail.fm -- http://www.fastmail.fm - Does exactly what it says on the tin
usawebbox@fastmail.fm wrote:
When TLS is empty (i.e. TLS {}):
Huh? Why would you leave it empty? If you're not going to use TLS, delete the whole section. It's just like any other module.
When TLS is removed:
rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first.
If you're not going to use TTLS, delete that section, too.
Or, if TTLS is also removed:
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first.
This makes sense, as I'll need my server cert for PEAP. If those certs have to be defined in the TLS block, what is the right way to disable TLS in this case, but still have PEAP working?
Don't issue client certificates. EAP-TLS won't work.
I tried deleting the CA_file, so I wouldn't be able to verify user certs, but it's required. Anyway, I don't want to offer TLS and fail it, I want to NAK it on server2.
This is explained in the comments in eap.conf, above the "ttls" and "peap" sections. Alan DeKok.
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first.
This makes sense, as I'll need my server cert for PEAP. If those certs have to be defined in the TLS block, what is the right way to disable TLS in this case, but still have PEAP working?
Don't issue client certificates. EAP-TLS won't work.
Alrighty then.
I tried deleting the CA_file, so I wouldn't be able to verify user certs, but it's required. Anyway, I don't want to offer TLS and fail it, I want to NAK it on server2.
This is explained in the comments in eap.conf, above the "ttls" and "peap" sections.
Alan DeKok.
I did read that, but I was trying to reject TLS. It also says, "If you do not use client certificates, and you do not want to permit EAP-TLS authentication, then delete this configuration item", referring to CA_file. I just want to point out that it appears you can't actually delete that, although it would have been an intuitive way to deny EAP-TLS. Hopefully, that was the original intent. -- usawebbox@fastmail.fm -- http://www.fastmail.fm - And now for something completely different
usawebbox@fastmail.fm wrote:
I did read that, but I was trying to reject TLS. It also says, "If you do not use client certificates, and you do not want to permit EAP-TLS authentication, then delete this configuration item", referring to CA_file. I just want to point out that it appears you can't actually delete that, although it would have been an intuitive way to deny EAP-TLS. Hopefully, that was the original intent.
It also says: # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. Please read ALL of the comments in a module you are configuring. Selectively reading them means that you miss vital information. Alan DeKok.
It also says: # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate.
Please read ALL of the comments in a module you are configuring. Selectively reading them means that you miss vital information.
Alan DeKok.
Except that my server cert does contain a CA cert. I'm not 100% sure it's sufficient, because it was issued from an intermediate CA (it needs to be the signer(s) not the issuer, right?), so I went to another CA got a webserver cert in pem format directly from the root. Downloaded the root CA cert in pem format and appended them.... same error: Error reading Trusted root CA list (null) Do we know this mode is working (No CA_File, but certificate file with server cert + ca cert)? In any case, I'd be willing to experiment more. -- usawebbox@fastmail.fm -- http://www.fastmail.fm - Email service worth paying for. Try it for free
participants (2)
-
Alan DeKok -
usawebbox@fastmail.fm