wpa_supplicant(eapol_test) with freeradius: error coming in TLS

Alan DeKok aland at deployingradius.com
Wed Jul 9 17:28:14 CEST 2008


Sergio Yébenes Moreno wrote:
> I think that PKI that comes with freeradius by default are shit

  Feel free to submit fixes.

  Most people don't have problems with the defaults.  Perhaps because
they realize that the defaults are for testing, and not for production use.

> (./bootstrap). I had the same problem. If you see the certification
> route in firefox, for example, you will see that client certificate are
> signed by SERVER CERTIFICATE and this by ca certificate.

  Which shouldn't be a problem.

> Probably you
> put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf

  There is no configuration entry called 'ca_cert'.

> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate
> --> verify error:num=20:unable to get local issuer certificate
> 
>  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca)
> 
> , and should be server.pem, or make your own ca, that signs clients and
> servers certificates.

  The default configuration works.  Perhaps you could try explaining why
you think it doesn't, or why it's wrong.

  Alan DeKok.




More information about the Freeradius-Users mailing list