Windows 7 clients
Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
Is this the "INTERMEDIATE CA" that GeoTrust sent along with the server cert? On 3/15/12 8:25 AM, "Scott McLane Gardner" <sgardne@uark.edu> wrote:
Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that?
FR v2.1.10
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
Okay, it is the INTERMEDIATE CA. Sorry for the noise. On 3/15/12 8:26 AM, "Scott McLane Gardner" <sgardne@uark.edu> wrote:
Is this the "INTERMEDIATE CA" that GeoTrust sent along with the server cert?
On 3/15/12 8:25 AM, "Scott McLane Gardner" <sgardne@uark.edu> wrote:
Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that?
FR v2.1.10
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
Hi,
Is this the "INTERMEDIATE CA" that GeoTrust sent along with the server cert?
the server needs to be configured so that the certificate file entry points to a file that contains your server cert, any intermediaries and the root all in one file, in the right order concatenated after each other. the client is then fed that cert chain... if it has the root CA installed it should be happy - though some clients still complain. alan
On Thu, Mar 15, 2012 at 01:51:19PM +0000, Alan Buxey wrote:
Is this the "INTERMEDIATE CA" that GeoTrust sent along with the server cert?
is then fed that cert chain... if it has the root CA installed it should be happy - though some clients still complain.
When I (briefly) tested Windows 7 the other week, it needed the root and intermediate certificates installed. Windows didn't seem to want to accept the intermediate that was sent from the server, no matter what order the certs were. After installing the intermediate on the client, all was well. However, it was only a quick test, and I was actually doing something else, so it might not be correct. It just niggled me enough at the time to dig a bit deeper, and I put it down to the standard case of Windows being stupid, and moved on. I'd like to be proven incorrect. Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hello Everybody: I just figure out how to solve the problem of NAS has a dynamic IP address(single client entry 0.0.0.0). But how about the radius Server is also behind a NAT which will get a Dynamic IP address?(Server and NAS communicate with each other through Internet)! How could I set the NAS's radius server IP adress option? The NAS i use is Compex WP543 and Netgear WG103, i dont think i could use a hostname or domain name to instead the IP address. Please advice me, thank you very much. Joey
ZhenJoey wrote:
But how about the radius Server is also behind a NAT which will get a Dynamic IP address?(Server and NAS communicate with each other through Internet)!
That is a horrible way to run a RADIUS server.
How could I set the NAS's radius server IP adress option?
You don't. It's a bad idea.
The NAS i use is Compex WP543 and Netgear WG103, i dont think i could use a hostname or domain name to instead the IP address. Please advice me, thank you very much.
The only possible advice is "don't do it" Alan DeKok.
Hello Alan: I dont understand. So the radius server could only work in a LAN? except use proxy radius? Joey
Date: Thu, 15 Mar 2012 15:53:00 -0400 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: freeRadius Server with Dynamic IP address.
ZhenJoey wrote:
But how about the radius Server is also behind a NAT which will get a Dynamic IP address?(Server and NAS communicate with each other through Internet)!
That is a horrible way to run a RADIUS server.
How could I set the NAS's radius server IP adress option?
You don't. It's a bad idea.
The NAS i use is Compex WP543 and Netgear WG103, i dont think i could use a hostname or domain name to instead the IP address. Please advice me, thank you very much.
The only possible advice is "don't do it"
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2012/3/16 ZhenJoey <snan4love@hotmail.com>:
Hello Alan: I dont understand. So the radius server could only work in a LAN? except use proxy radius?
No. On most setups, radius server needs a static IP address, accessible by the client (NAS). There are ways around that (e.g. using VPN), but the short answer to your original question is "no, what you want to do is a bad idea". -- Fajar
Scott McLane Gardner wrote:
Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that?
You need to put the root CA into the "certs" directory, so that FreeRADIUS knows it's allowed to issue client certs. Alan DeKok.
Hi,
GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that?
FR v2.1.10
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A
this error is usually when the client is misconfigured in their trust settings why wouldnt your ca.pen file be trusted? does it not contain the whole cert chain (in the right order?) alan
participants (6)
-
Alan Buxey -
Alan DeKok -
Fajar A. Nugraha -
Matthew Newton -
Scott McLane Gardner -
ZhenJoey