Hello, I have a problem with the certificate I use for my eap-peap. It seems that the certificate is not recognized. What I know: 1) the chain is complete : radius:/etc/freeradius/certs# c_rehash certificatAP/ ... radius:/etc/freeradius/certs# openssl verify -CApath certificatAP/ certificatAP/certificat20sept2014.pem certificatAP/certificat20sept2014.pem: OK 2) it is a problem of certificate: windows accept to connect if I ask him to not vaidate the certificate server. With other os than windows, I have more details. OSX is claiming that my certificate is not verified. It is not OS related. 3) The root certificate is accepted in both OS. What the point ? Should I have all the intermediate certificate in the store of my clients ? Is it a way to present the whole chain to the client, the same way it can be done by http servers ? Regards, -- Thierry CHICH
Concatenate your root and intermediates and use those. Beware of using a cert dir and the CA path as if done incorrectly then someone could authenticate just by having a cert signed with the same root CA as your RADIUS server alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Le mercredi 6 novembre 2013 21:59:26 Alan Buxey a écrit :
Concatenate your root and intermediates and use those. Beware of using a cert dir and the CA path as if done incorrectly then someone could authenticate just by having a cert signed with the same root CA as your RADIUS server
alan
Thank you for your answer, but it doesn't work. I don't see where you can declarate this certificate. There is field CAfile, but it is related to the authentication of the client (EAP-TLS). Furthermore, if I use this field with all the certificates concatenated, freeradius complains it is not readable. My question is: is it a way to deal with a chain other than load the full chain in the client ? -- Thierry CHICH Responsable réseaux académiques Equipe Réseaux/Pôle National de Compétence en Réseaux Rectorat de Clermont-Ferrand - Centre Informatique Académique Tel: 04.73.99.30.54
Hi,
My question is: is it a way to deal with a chain other than load the full chain in the client ?
Yes. Append the intermediates after the *server* cert in the server cert's file. That way, the intermediates get sent along during the EAP conversation. The root CA must of course be pre-provisioned onto the client. There is no point in sending it. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
Thank you for your answer, but it doesn't work. I don't see where you can declarate this certificate. There is field CAfile, but it is related to the authentication of the client (EAP-TLS). Furthermore, if I use this field with all the certificates concatenated, freeradius complains it is not readable.
well, ensure that FreeRADIUS can READ that file (chmod/file permissions) and ensure it contains only valid data. ensure that certificate_file contains the server cert, the intermediates and the root CA (in a format that can be read - eg PEM/CRT) and DONT use CA_file if the client doesnt know/trust the root CA then it SHOULD complain. use a deployment tool to get the root CA onto the client..ensure your client has correct security settings (trust the CA, check the commonname of the RADIUS certificate) alan
Hello, Thank you for the answers. I have concatenate the ssl certificate with the intermediate certificates, dos2unix the result, and add some CR. At this point, windows accepts my certificate, but complains that it is not an "anchor" and that My server doesn't support "NPS bla blah blah". I don't see what is the meaning of this. With OSX, I must accept manually my certficate. It doesn't make sense for me, because all the chain is now valid (since the root CA is in the store. Thank you anyway. It is a lot better. -- Thierry CHICH Responsable réseaux académiques Equipe Réseaux/Pôle National de Compétence en Réseaux Rectorat de Clermont-Ferrand - Centre Informatique Académique Tel: 04.73.99.30.54
Hi,
Thank you for the answers. I have concatenate the ssl certificate with the intermediate certificates, dos2unix the result, and add some CR. At this point, windows accepts my certificate, but complains that it is not an "anchor" and that My server doesn't support "NPS bla blah blah". I don't see what is the meaning of this.
With OSX, I must accept manually my certficate. It doesn't make sense for me, because all the chain is now valid (since the root CA is in the store.
Thank you anyway. It is a lot better.
It's not good until it works :-) Some OSes are more picky than others when it comes to accepting certificates. There are many more parameters than "the chain is okay". I don*t know if you are working in an eduroam context or not, but our EAP server cert recommendation pages might help in any case. See here: https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-sit... And the "is not an NPS server" nonsense is unrelated to the certs, IIRC. Don't recall which option to set/unset in the client from the top of my head though, sorry. Greetings, Stefan Winter
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Stefan Winter -
Thierry Chich