Unknown CA error in FR Debug

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Mon Jan 24 22:20:42 CET 2011


Hi,

> I must be doing something wrong, as per Alan's advice I did visit deployingradius.com, I there it mentions that the validate server cert check box must be selected in the 802.1x supplicant config, however I cannot seem to find where to configure that option BEFORE the first successful connection.  I know exactly how to do it once the profile is established, but before the client has successfully connected for the first time I cannot find where one would set this option.

the system is a little dumb. you need to create a manual connection if you want to do it that way -
the straight-connect method is too streamlined and doesnt let you play like that

> Also, I have used the bootstrap script to generate the certs, but I wanted to check that the certs it is generating are what I need.  I mentioned that I changed the parameters, just to be clear the only options I changed are the name of the entity (changed it to the name of our university, for the CA and the name of the server for the server cert) and the expiry time (set it to a date way into the future) that's it.
> 
> I have also experimented with using different keys in the eap.conf file ( using server.crt instead of server.pem, etc.) but each time the results are the same.  Please see a copy of my eap.conf below:

no need to 'play' with things...the default template is pretty fine - just change the paths
if you want a 'Production' storage place...and check permissions are right! 

>                         #CA_file = ${cadir}/ca.pem

set this. it helps!

for performance/less packets...you probably want to set the default PEAP and
EAP-TTLS types to mschapv2 rather than the basic default of md5.
..and you really want to use that nice cache feature...oh yes.

alan



More information about the Freeradius-Users mailing list