inner EAP certificate
Hi, I was wondering why the bootstrap script and the Makefile do not include the generation of the inner-server.pem certificate. It's optional of course, but I believe it is recommended to generate one. It's quite easy to do it manually. I just edited the Makefile, created an inner-server.cnf file, and ran "make inner-server.pem". I'd just like to know if it wouldn't be too much of a hassle to include it in the next release (for convenience). Thanks, Vieri
For the purpose of? The inner-server is handling the 2nd stage after the outer server (default) has dealt with the EAP tunnel creation (via the eap module). This deals with almost all vanilla requirements. alan On 8 Dec 2017 1:14 pm, "Vieri via Freeradius-Users" < freeradius-users@lists.freeradius.org> wrote:
Hi,
I was wondering why the bootstrap script and the Makefile do not include the generation of the inner-server.pem certificate. It's optional of course, but I believe it is recommended to generate one. It's quite easy to do it manually. I just edited the Makefile, created an inner-server.cnf file, and ran "make inner-server.pem".
I'd just like to know if it wouldn't be too much of a hassle to include it in the next release (for convenience).
Thanks,
Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Dec 8, 2017, at 7:14 AM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I was wondering why the bootstrap script and the Makefile do not include the generation of the inner-server.pem certificate. It's optional of course, but I believe it is recommended to generate one.
Sure.
It's quite easy to do it manually. I just edited the Makefile, created an inner-server.cnf file, and ran "make inner-server.pem".
I'd just like to know if it wouldn't be too much of a hassle to include it in the next release (for convenience).
I'll take a look. Alan DeKok.
I'd like to suggest a small change. I find it convenient to use the Makefile in the certs subdir despite having a PKI infrastructure. I would prefer to copy over my CA files from my PKI, and then only run the following commands: # make index.txt # make serial # make server.pem # make inner-server.pem # make client.pem I've attached my Makefile's diff. Thanks, Vieri
On Fri, 2017-12-08 at 12:14 +0000, Vieri via Freeradius-Users wrote:
I was wondering why the bootstrap script and the Makefile do not include the generation of the inner-server.pem certificate. It's optional of course, but I believe it is recommended to generate one.
Certificate/key generation can be slow, and it's not needed in most circumstances. So personally I'd leave it as-is and just check that the docs make it clear what the admin needs to run, should they need it. -- Matthew
________________________________ From: Matthew Newton <mcn@freeradius.org>
Certificate/key generation can be slow, and it's not needed in most circumstances. So personally I'd leave it as-is and just check that the docs make it clear what the admin needs to run, should they need it.
OK, so it could be left out of the bootstrap script, but included in the Makefile, as well as documented in README.
hi people, i doing my server number 50 with freeradius, always fails. in this case, i have configurate ntlm but when configure mschap i have error: Exec output: Reading winbind reply failed! (0xc0000001) Exec plaintext: Reading winbind reply failed! (0xc0000001) searching a solution, search the group but dont exist, i have the group freerad. i make chown to the folder winbindd_privileged and add the group freerad but nothing happend. what can i do? Regards
You can add the user your server runs as to the wbpriv group. Otherwise change the winbind_privileged folder to be readable by the user/group that freeradius runs as (which will get reset each time you patch samba). Anyway, run latest 3.0.x release and use winbind natively instead! 2017 is the year when ntlm_auth for freeradius becomes history! :) alan On 11 Dec 2017 5:35 pm, "Carlos Bordon" <cgermanb@live.com.ar> wrote:
hi people, i doing my server number 50 with freeradius, always fails.
in this case, i have configurate ntlm but when configure mschap i have error:
Exec output: Reading winbind reply failed! (0xc0000001) Exec plaintext: Reading winbind reply failed! (0xc0000001)
searching a solution, search the group but dont exist, i have the group freerad.
i make chown to the folder winbindd_privileged and add the group freerad but nothing happend.
what can i do?
Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
________________________________ From: Alan DeKok <aland@deployingradius.com>
OK, so it could be left out of the bootstrap script, but included in the Makefile, as well as documented in README.
I've pushed some patches.
Great. Maybe the README and/or Makefile could inform/allow the user how to use his/her own CA certs (ca.{pem,der,key}). eg. one could copy the CA certs (probably self-generated elsewhere) into /etc/raddb/certs and then run the Makefile commands to produce only the server, inner-server, client and ocsp certs. Vieri
On Dec 12, 2017, at 1:37 PM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Great. Maybe the README and/or Makefile could inform/allow the user how to use his/her own CA certs (ca.{pem,der,key}). eg. one could copy the CA certs (probably self-generated elsewhere) into /etc/raddb/certs and then run the Makefile commands to produce only the server, inner-server, client and ocsp certs.
That's been done. I've pushed a fix. Alan DeKok.
participants (5)
-
Alan Buxey -
Alan DeKok -
Carlos Bordon -
Matthew Newton -
Vieri