FreeRADIUS EAP-TLS and SSL certificate chains
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 20 13:28:02 CET 2009
> We have exactly the same setup - verisign root->intermediate->our cert.
> What happens with an XP client on our WPA EAP-PEAP network is exactly
> the same as documented here:
Also - for info, when I take a "tcpdump" of eapol_test against
FreeRadius, the TLS records over EAP go as follows:
C : client hello
FR: server hello, certs x2 [my server cert, intermediate ca], hello done
C : client key exch, change cipher, encrypted handshake
FR: change cipher, encrypted handshake
...that is, FreeRadius *is* sending back the intermediate certificate to
the client - but as I say, a post-SP2 change to XP appears to not
automatically "trust" it.
Our config is as follows:
eap {
tls {
private_key_file = ${confdir}/certs/wireless4.key
certificate_file = ${confdir}/certs/wireless4-verisign-crt.pem
# note: this is *our* local CA, trusted for EAP-TLS client certs
CA_file = ${confdir}/certs/ICca.pem
}
# and peap later on
}
...the file "wireless4-verisign-crt.pem" contains:
-----BEGIN CERTIFICATE-----
...our cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...intermediate cert
-----END CERTIFICATE-----
More information about the Freeradius-Users
mailing list