Multiple SSL CA Files
Freeradius List, I have Freeradius 1.1.3 running on a Fedora Core 6 box, and it works great in the current setup. My question has to do with a configuration change that I'm having trouble implementing. Right now, I have an in-house CA Cert that was generated for our servers that sit behind a firewall. The Radius server connects to our LDAP box via a hole in the firewall over an SSL connection that was generated with our internal CA Cert. I would like to have two SSL certs on the Radius box: one, for the internal connections to our servers, and two, an SSL cert that one can verify as a trusted Root Authority for the TTLS connections. This is causing an issue right now on the server. I have the following LDAP fields in radiusd.conf: tls_cacertfile = /etc/lfncerts/cacert.pem tls_certfile = /etc/lfncerts/ldap2_public_cert.pem tls_keyfile = /etc/lfncerts/ldap2_private_key.pem I have the following fields in the eap.conf: private_key_file = /etc/lfnnewcerts/radius.lawrencefreenet.org.key certificate_file = /etc/lfnnewcerts/radius.lawrencefreenet.org.crt CA_file = /etc/lfnnewcerts/rapidssl_01.cer Here's the output in the logs: Feb 14 12:47:26 radius kernel: audit(1171478846.538:8): avc: denied { read } for pid=10837 comm="radiusd" name="radius.lawrencefreenet.org.crt" dev=dm-0 ino=1310741 scontext=root:system_r:radiusd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file As you can see, the CA_files are different, since they are signed by different certificate authorities. I have tried this configuration and 777'ed each of the files to no avail. Is the configuration I'm trying to implement possible? Any help that you can offer would be greatly appreciated! Thanks for your time! -Mike
Michael Courtney wrote:
I would like to have two SSL certs on the Radius box: one, for the internal connections to our servers, and two, an SSL cert that one can verify as a trusted Root Authority for the TTLS connections.
This is causing an issue right now on the server.
No, many people are doing what you want to do. It isn't a problem.
Here's the output in the logs:
Feb 14 12:47:26 radius kernel: audit(1171478846.538:8): avc: denied { read } for pid=10837 comm="radiusd" name="radius.lawrencefreenet.org.crt" dev=dm-0 ino=1310741 scontext=root:system_r:radiusd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
You're running SELinux, and you've configured it so that radiusd doesn't have permission to read the certificate file. Fix that.
As you can see, the CA_files are different, since they are signed by different certificate authorities. I have tried this configuration and 777'ed each of the files to no avail.
The "avc: denied { read }" says it's not a permissions issue. Look that text up on Google, and you'll see more.
Is the configuration I'm trying to implement possible? Any help that you can offer would be greatly appreciated!
There's nothing in FreeRADIUS or SSL that is preventing the configuration from working. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Michael Courtney