RADIUS certificate compatibility warning

Alan DeKok aland at deployingradius.com
Fri Oct 28 17:00:56 CEST 2011

Martin Ubank wrote:
>> Martin Ubank wrote:
>>> The following lines from the output of the 'eapol_test' command seem
>> to indicate a problem with the root certificate.:
>>> OpenSSL: tls_connection_ca_cert - Failed to load root certificates
>> error:00000000:lib(0):func(0):reason(0)
>>   Fix that and it should work.
> I've not been able to fix it yet.
> The Openssl-Users list hasn't been able to suggest anything.
> I am running 'eapol_test -c test.conf -s testing123' from the CentOS VM on which FreeRadius is installed.

  If it's an error from eapol_test, ask on the hostap list.  I really
don't know enough about OpenSSL to say more.

> The 'bootstrap' script contains:

  Yes... we know.

>>From this script, I understand that:
>  ca.der is created by 'openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der';
>  ca.key & ca.pem are created by
>  'openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf'.
> So, how does FreeRadius expect to load the root certificate from ca.der?

  It uses OpenSSL/

> If it can't, then what file should be in the ca_cert directive in my test.conf file?

  No idea.

> Or, is 'eapol_test' not the correct way to test "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP"?

  It is one way to test.

  In 2.1.12, you can use radclient to send MS-CHAP packets to the
server.  See raddb/sites-available/inner-tunnel

  Alan DeKok.

More information about the Freeradius-Users mailing list