multiple server certificates in EAP-TLS
Aller Ventosa, Manuel
manuel.aller at gedas.es
Wed Jun 6 16:29:23 CEST 2007
Hi
Has got Anybody a freeradius server working with multiple server
certificates?
I've tried the configuration explained below but freeradius returns error
messages.
Module: Instantiated eap (eap1)
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "/home/certificados/store/CAX-CA2"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/etc/raddb/certs/cacert.pem"
tls: private_key_password = "test"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap2: Module instantiation failed.
radiusd.conf[1597] Unknown module "eap2".
radiusd.conf[1597] Failed to parse "eap2" entry.
Any help is good
Thanks
Manel
-------------------------------------------
2. Re : Multiple server certificates in EAP-TLS or EAP-TTLS
(Eshun Benjamin)
Message: 2
Date: Wed, 30 May 2007 05:22:30 +0000 (GMT)
From: Eshun Benjamin <bkeshun at yahoo.fr>
Subject: Re : Multiple server certificates in EAP-TLS or EAP-TTLS
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <796452.32991.qm at web26001.mail.ukl.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"
There was a post on this by Mike;
You'll have to set up two instances of the EAP module. The first
instance will have the TLS submodule set up with the information for
Cert1.pem (and the appropriate key and CA cert). The second instance
will have its TLS submodule set with the info for Cert2.pem. It will
look something like this:
modules {
...
eap eap1 {
...
tls {
certificate = Cert1.pem
...
}
}
eap eap2 {
...
tls {
certificate = Cert2.pem
...
}
}
}
authorize {
...
eap1
}
authenticate {
...
eap1
eap2
}
Then, this is one of the few instances where you'll need to manually
specify the Auth-Type in the users file, like this:
DEFAULT Called-Station-ID = "00112233445566:SSID1", Auth-Type := eap1
DEFAULT Called-Station-ID = "00112233445566:SSID2", Auth-Type := eap2
Or, better yet, use regexes (this should work):
DEFAULT Called-Station-ID =~ ":SSID1$", Auth-Type := eap1
==================================================
Benjamin K. Eshun
DISCLAIMER: Este mensaje contiene información propietaria
de la cual parte o toda puede contener información confidencial
o protegida legalmente. Esta exclusivamente destinado al
usuario de destino.
Si, por un error de envio o transmisión, ha recibido este mensaje
y usted no es el destinatario del mismo, por favor, notifique
de este hecho al remitente.
Si no es el destinatario final de este mensaje no debe usar,
informar, distribuir, imprimir, copiar o difundir este mensaje
bajo ningún medio.
---------
DISCLAIMER: This e-mail contains propietary information some
or all of which may be legally protected. It is for the intended
recipient only. If an addressing or transmission error has
misdirected this e-mail, please notify the author by replying to
this e-mail. If you are not the intended recipient you must not use,
disclose, distribute, copy, print or relay this e-mail.
***************************************************************************
More information about the Freeradius-Users
mailing list