Hi all, I would like to use FreeRadius to do 802.1x EAP-PEAP for wireless users. I have everything configured and working when I disabled "validate server Certificate" on windows. I have a wildcard certificate purchased from godaddy.com. I had a problem when using it with apache as I had to add the intermediate chain in the config but can't find a place to do that in FreeRaius. So currently I have 3 files. Private Key Certificate Intermediate Chain When Auth fails because of validation then I get this in Freeradius debug [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 Is there something that I can do to get this to work? Regards, Ryan
On 14/09/12 14:46, Tyller D wrote:
Hi all,
I would like to use FreeRadius to do 802.1x EAP-PEAP for wireless users.
I have everything configured and working when I disabled "validate server Certificate" on windows. I have a wildcard certificate purchased from godaddy.com <http://godaddy.com>.
I had a problem when using it with apache as I had to add the intermediate chain in the config but can't find a place to do that in FreeRaius.
Put the cert and the intermediate in the same file and use that as your "certificate_file". FreeRADIUS will pass it to OpenSSL, which will figure it out.
Tyller D wrote:
I have everything configured and working when I disabled "validate server Certificate" on windows. I have a wildcard certificate purchased from godaddy.com.
I'm not sure that will work.
I had a problem when using it with apache as I had to add the intermediate chain in the config but can't find a place to do that in FreeRaius.
You should have the CA cert, and all of the certs leading to the server certificate.
When Auth fails because of validation then I get this in Freeradius debug
So... did you read eap.conf, and configure the certificates as documented there?
Is there something that I can do to get this to work?
Read the documentation? Alan DeKok.
On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok <aland@deployingradius.com>wrote:
Tyller D wrote:
I have everything configured and working when I disabled "validate server Certificate" on windows. I have a wildcard certificate purchased from godaddy.com.
I'm not sure that will work.
Is there a reason for that? Godaddy is in the list of servers to validate against?
I had a problem when using it with apache as I had to add the intermediate chain in the config but can't find a place to do that in FreeRaius.
You should have the CA cert, and all of the certs leading to the server certificate.
Correct, I do. But which one do add as "certificate_file" in eap.conf?
When Auth fails because of validation then I get this in Freeradius debug
So... did you read eap.conf, and configure the certificates as documented there?
Are you referring to this? - Windows requires the root certificates to be on the client PC. If it doesn't have them, you will see the same issue as above. I'm just guessing but it seems like that would be the cause.
Is there something that I can do to get this to work?
Read the documentation?
My question is, all the certificates leading to the server certifcate - where do I add them?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 14/09/12 15:38, Tyller D wrote:
On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.com>> wrote:
Tyller D wrote: > I have everything configured and working when I disabled "validate > server Certificate" on windows. > I have a wildcard certificate purchased from godaddy.com <http://godaddy.com>.
I'm not sure that will work.
Is there a reason for that? Godaddy is in the list of servers to validate against?
The wildcard might cause difficulty. On the other hand, Windows might pay the wildcard no attention.
My question is, all the certificates leading to the server certifcate - where do I add them?
In the same file. This is documented in the default eap.conf: # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem That is, you put the sever, intermediate and (optionally) root cert into ${certdir}/server.pem
You have three possible issues. 1). You need to chain all of the certs into one file. 2). MS requires that the cert have a "special purpose". This is documented and needs to be included in the CSR. BS, but that's MS for you. 3). MS might not like wild cards. Not sure about this but it may be an issue. Easy enough to test. If 1 and 2 don't work, try with a non-wildcard cert +1 and 2. Post your results so we can all learn from it. Carl Peterson On Sep 14, 2012, at 10:44 AM, Tyller D <tyllerd@gmail.com> wrote: On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok <aland@deployingradius.com>wrote:
Tyller D wrote:
I have everything configured and working when I disabled "validate server Certificate" on windows. I have a wildcard certificate purchased from godaddy.com.
I'm not sure that will work.
Is there a reason for that? Godaddy is in the list of servers to validate against?
I had a problem when using it with apache as I had to add the intermediate chain in the config but can't find a place to do that in FreeRaius.
You should have the CA cert, and all of the certs leading to the server certificate.
Correct, I do. But which one do add as "certificate_file" in eap.conf?
When Auth fails because of validation then I get this in Freeradius debug
So... did you read eap.conf, and configure the certificates as documented there?
Are you referring to this? - Windows requires the root certificates to be on the client PC. If it doesn't have them, you will see the same issue as above. I'm just guessing but it seems like that would be the cause.
Is there something that I can do to get this to work?
Read the documentation?
My question is, all the certificates leading to the server certifcate - where do I add them?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Carl Peterson -
Phil Mayers -
Tyller D