a question about settings for EAP-TLS authentication

Yan Cai ycai at tennis.ecs.umass.edu
Mon Aug 7 17:49:22 CEST 2006

Hi, All,


I am a graduate student in University of Massachusetts Amherst. Now I am
trying to set up a wireless environment with FreeRadius to realize secured
access with EAP-TLS.

I've generated the necessary CA files by openssl and done all necessary
settings in FreeRadius. For more detailed operations and settings, please
refer to the list below.


Operations and Settings on openssl and freeradius,

1, installed openssl-0.9.7-stable-SNAP-20060731, which is downloaded from

2, completed the necessary settings in openssl, which is locaed in

3, installed freeradius-1.1.0, which is download from www.freeradius.org.

4, modified some settings in CA.all, which is located in
/usr/src/802/radius/freeradius-1.1.0/scripts, and run it to generated the CA
certificates for server, client as well as root.

5, added a NAS entry in clients.conf.

6, added a user entry in users.

7, started the radius server with the command "./radiusd -X" normally.

8, with default settings in radius.conf, star freeradius successfully, and
it can accept the authentication-request from Windows XP client and return
the authentication-accept message. This authentication request should belong
to EAP-MD5, and the radius server could respond it correctly by

---- the operations below are for realization of EAP-TLS ----

9, copied the newly generated certificates files to the place so that the
freeradius could find them. In my case, I moved them to
/usr/local/radius/etc/raddb/certs as well as its subfolder /demoCA.

10, added a new user entry in users, which includes only the username
attribute because it is said that EAP-TLS would automatically identify its
password and other attributes from somewhere.

11, modified the default auth type to 'tls' in eap.conf.

12, uncommented all scripts related to EAP-TLS authentication in eap.conf,
including modification of path to the certificate files in
/usr/local/radius/etc/raddb/certs as well as ./demoCA.

13, tried to start the radius server with the command "./radiusd -X", but
the error message below was returned always.

**** log from terminal of linux where freeradius is running ****

rlm_eap: Loaded and initialized type gtc

 tls: rsa_key_exchange = no

 tls: dh_key_exchange = yes

 tls: rsa_key_length = 512

 tls: dh_key_length = 512

 tls: verify_depth = 0

 tls: CA_path = "(null)"

 tls: pem_file_type = yes

 tls: private_key_file = "/usr/local/radius/etc/raddb/certs/cert-srv.pem"

 tls: certificate_file = "/usr/local/radius/etc/raddb/certs/cert-srv.pem"

 tls: CA_file = "/usr/local/radius/etc/raddb/certs/demoCA/cacert.pem"

 tls: private_key_password = "whatever"

 tls: dh_file = "/usr/local/radius/etc/raddb/certs/dh"

 tls: random_file = "/usr/local/radius/etc/raddb/certs/random"

 tls: fragment_size = 1024

 tls: include_length = yes

 tls: check_crl = no

 tls: check_cert_cn = "%{User-Name}"

rlm_eap_tls: Loading the certificate file as a chain

Segmentation fault

**** the end of log ****


Now I worried that there is something wrong in the cert-srv.pem. I will
appreciate all of you so much if anyone can help me take a look at these
certificate files.

I attached all of configuration files in the freeradius folder. Please refer
to them if needed. Looking forward to your reply. Thanks a lot,


Best wishes,



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060807/46eaec15/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.zip
Type: application/octet-stream
Size: 53896 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060807/46eaec15/attachment.obj>

More information about the Freeradius-Users mailing list