EAP-TLS certificate
Alan DeKok
aland at deployingradius.com
Sat Apr 5 08:49:35 CEST 2008
xia sihua wrote:
...
> CA_file = ${cadir}/ca.pem
> ....
>
> The supplicant I use TeraDot1x Tester from Spirent communication.
> ...
> Configuration:
...
> Root Certificate Filename: server.pem
I think that should be "ca.pem".
> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
Yes, the client is telling you that it doesn't know anything about ca.pem.
> If I change Root Certificate Filename from server.pem to ca.pem, will
> come out following error.
> ....
> eaptls_verify returned 11
> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
> TLS Alert read:fatal:bad certificate
Ask the supplicant vendor why they don't like the certificate we provide.
> If I use those certificates provided by spirent, can pass. I donot know why?
> Any ideas?
Print out the spirent certificates, and post the result here. Maybe
there's some extra magic needed.
$ openssl x509 -text -in spirent.crt
Alan DeKok.
More information about the Freeradius-Users
mailing list