The EAP Saga begins.

Evan Vittitow evan at terralab.com
Mon Jan 29 02:23:38 CET 2007


>
> To repeat my previous email - xsupplicant does not have a CA cert that
> allows it to trust the server.
>
> The line:
>
> Loaded root certificate /etc/raddb/certs/cert-clt.pem
>
> ...looks wrong. It looks as if you've told xsupp that the CA cert is
> the client cert, which it isn't. They're different things.
>
> In FreeRadius, the "eap.conf" file will have:
>
> eap {
>   tls {
>     certificate_file = /path/to/file.pem
>   }
> }
>
> ...and if you run (against that file):
>
> openssl x509 -noout -text -in /path/to/file.pem  |
>  egrep '(Subject|Issuer):'
>
> ...you'll get something like:
>
> Issuer: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority
> Subject: C=US, O=MyOrg, OU=MyCA, CN=wireless.myorg.com
>
> The certificate you supply to the CLIENT as the *CA* must be the
> ISSUER cert - that is, the one with:
>
> Subject: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority
>
> I would glance at the xsupp documentation to give more advice but the
> crapforge^Wsourceforge docs links appears to lead in a loop. This is
> one reason amongst many others you should seriously consider using
> wpa_supplicant on the clients.
I have a feeling that I've ruined my CA, and I need to re-create my
FreeRadius CA. Now, I've re-examined how to make a CA repeatedly, and
everything says something different. my CA.pl is located on
/etc/pki/tls/misc

Given this is the case, from scratch, what is the best way to create a
"Fresh" CA for FreeRadius. I've tried multiple documents from Ubuntu to
RedHat, (Mandriva doesn't offer any documentation themselves.) So, in
the absense of qualified docs, recommendation?



More information about the Freeradius-Users mailing list