definitively, I have a problem with eap-tls

Sergio sergioyebenes at alumnos.upm.es
Fri Jul 25 23:37:22 CEST 2008


Sergio escribió:
> Sergio escribió:
>> HI,
>> continuing with Reveal MAP problem with unknown ca's under eap-tls
>> using default configuration....
>>
>> private_key_file = ${certdir}/server.pem
>> certificate_file = ${certdir}/server.pem
>> CA_file = ${cadir}/ca.pem
>>
>> freeradius tell me this:
>>
>> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate
>> --> verify error:num=24:invalid CA certificate
>>   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>> TLS Alert write:fatal:unknown CA
>>
>> well, it isn't a problem:
>>
>> cp server.pem root.pem
>> cat ca.pem >> root.pem
>> then I change CA_file = ${cadir}/root.pem
>>
>> ......and.....eureka!!!! authentication succesfully ....but
>>
>> now there is a problem to check the CRL because root.pem then, something
>> is wrong before making root.pem.
>>
>> ....well, just tell freeradius how to find certificates....
>>
>> c_rehash /usr/local/etc/raddb/certs also doesn't works
>> I think Reveal had the same problem and I have read about this on
>> mailing list but nothing.
>>
>> Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has
>> somebody encountered problems with this apart from Reveal MAP and me?
>>
>> P.D. route certification into windows isn't a problem, only tell
>> xp_supplicant who is root authority (It was logical)
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>
>>   
> Also me, sergio
>
> restarting:
>
> private_key_file = ${certdir}/server.pem
> certificate_file = ${certdir}/server.pem
> CA_file = ${cadir}/ca.pem
>
> portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509
> -hash -noout -in server.pem).0
> portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash
> -noout -in ca.pem).0
>
>
> portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw
> lrwxrwxrwx 1 root    root       6 2008-07-23 02:47 16593b28.0 -> ca.pem
> lrwxrwxrwx 1 root    root      10 2008-07-23 02:49 7d18a7eb.0 ->
> server.pem
>
> portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem
> server.pem: OK
>
> portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt
> client.crt: OK
>
> and then, the user is rejected. The other configuration files are ok,
> also wpa_supplicant. look at this Reveal, be brave jejeje.
> am I forgetting something?
> I have two other eap modules working ok with a diferent authority than
> the server's and I'm really intrigue about this. somebody joins? jeje
>
> regards :)
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
Please, any suggestion? I'm going insane. I can do a new installation 
and to tell what I'm doing (only proxy_request = no, put my ap into 
clients.conf and put user at example.com into users file)...
Also I've tried to install ca.pem and server.crt into /etc/ssl/certs 
(then openssl verify client.pem returns OK, without -CApath)

Thanks



More information about the Freeradius-Users mailing list