virtual server configuration
usawebbox at fastmail.fm
usawebbox at fastmail.fm
Wed Mar 19 01:39:14 CET 2008
I'm using FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built
on Feb 14 2008 at 15:20:55
I got back to testing allowing only PEAP-GTC on one virtual server. I
used the included self-signed certs this time, but as I suspected, the
results were the same whenever I comment out CA_file:
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server-ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
rlm_eap_tls: Error reading Trusted root CA list (null)
rlm_eap: Failed to initialize type tls
I think we might be trying the wrong thing. Although the comments
together say:
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/wifiserver.pem
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
#CA_file = ${cadir}/wifiserver.pem
The first comment might be giving you just another place to provide your
CA cert, whereas the second comment clearly talks about not permiting
EAP-TLS. I say this, because I don't see why the CA would be required at
all if EAP-TLS will be denied. All you need is a server cert and private
key. In PEAP, the client is the one who needs the CA cert, if he wants
to verify the server cert, but even that is optional.
Anyway, can we say now that not providing a CA_file doesn't work?
If there's something else I should test, just mention it.
Thanks.
On Thu, 13 Mar 2008 11:58:48 +0100, "Alan DeKok"
<aland at deployingradius.com> said:
> usawebbox at fastmail.fm wrote:
> > Except that my server cert does contain a CA cert. I'm not 100% sure
> > it's sufficient, because it was issued from an intermediate CA (it needs
> > to be the signer(s) not the issuer, right?), so I went to another CA got
> > a webserver cert in pem format directly from the root. Downloaded the
> > root CA cert in pem format and appended them.... same error:
>
> You generally want to use self-signed certs for 802.1x. See
> raddb/certs/README
>
> > Do we know this mode is working (No CA_File, but certificate file with
> > server cert + ca cert)? In any case, I'd be willing to experiment more.
>
> It should work in 2.0.2.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
usawebbox at fastmail.fm
--
http://www.fastmail.fm - I mean, what is it about a decent email service?
More information about the Freeradius-Users
mailing list