EAP-TLS certificate
xia sihua
walter.xia at gmail.com
Sat Apr 5 03:57:41 CEST 2008
Hi,
I am using 2.0.3 version. When I generate certificate using those
files ca.cnf, server.cnf, client.cnf xpextensions Makefile which are
in the directory ../raddb/certs/. Then I use "make server.vrfy" verify
the server certificate, is OK. "make client.vrfy" also ok.
I use EAP-TLS authentication Method, and I has modified eap.conf
files, and add relative certi file as follows:
....
private_key_password = radius
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
....
The supplicant I use TeraDot1x Tester from Spirent communication.
...
Configuration:
Supplicant ID: test (defined in client.cnf common name)
User Certificate Filename: client.pem
User Key Filename: client.key
Root Certificate Filename: server.pem
Key password: test (same defined in client.cnf file)
....
When using above configuration, the radius server will print out
following error
.....
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client hello B
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
....
If I change Root Certificate Filename from server.pem to ca.pem, will
come out following error.
....
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
....
If I use those certificates provided by spirent, can pass. I donot know why?
Any ideas?
--
Best regards!
walter
***************************************
Nothing is impossible!
***************************************
More information about the Freeradius-Users
mailing list