RADIUS certificate compatibility warning
Alan DeKok
aland at deployingradius.com
Fri Oct 28 17:00:56 CEST 2011
Martin Ubank wrote:
>> Martin Ubank wrote:
>>> The following lines from the output of the 'eapol_test' command seem
>> to indicate a problem with the root certificate.:
>>> OpenSSL: tls_connection_ca_cert - Failed to load root certificates
>> error:00000000:lib(0):func(0):reason(0)
>>
>> Fix that and it should work.
>
> I've not been able to fix it yet.
> The Openssl-Users list hasn't been able to suggest anything.
>
> I am running 'eapol_test -c test.conf -s testing123' from the CentOS VM on which FreeRadius is installed.
If it's an error from eapol_test, ask on the hostap list. I really
don't know enough about OpenSSL to say more.
> The 'bootstrap' script contains:
Yes... we know.
>>From this script, I understand that:
> ca.der is created by 'openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der';
> ca.key & ca.pem are created by
> 'openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf'.
>
> So, how does FreeRadius expect to load the root certificate from ca.der?
It uses OpenSSL/
> If it can't, then what file should be in the ca_cert directive in my test.conf file?
No idea.
> Or, is 'eapol_test' not the correct way to test "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP"?
It is one way to test.
In 2.1.12, you can use radclient to send MS-CHAP packets to the
server. See raddb/sites-available/inner-tunnel
Alan DeKok.
More information about the Freeradius-Users
mailing list