Failure with "TLS authentication" and "Freeradius on Fefora-17"

John Dennis jdennis at
Mon Jan 7 19:44:50 CET 2013

On 01/07/2013 12:18 PM, Ajay Garg wrote:
> Thanks Alan, and A.L.M.
> I too thought the same looking  at the "decrypt failure messages".
> As I told in my startup-mail on this thread, the procedure ::
>                            su -
>                            cd /etc/raddb/certs
>                            make clean
>                            make client.pem
> makes TLS-authentication works perfectly fine for Fedora-14-freeradius,
> but not for Fedora-17-freeradius (and I am talking of the vanilla
> "gnome-way" of connecting, as is evident from the snapshot).

First of all there is no such version as Fedora-XX-freeradius, there is 
however the version of freeradius which happens to be installed. At 
different points in time Fedora releases will have had different 
versions of freeradius available. You can find out which version you 
have installed via either

rpm -q freeradius


yum innfo freeradius

It's a little hard to tell from you're series of steps but I suspect 
you're not using a client cert signed by the CA you've configured.

Or the issuing signer (the CA) cert has expired. We deliberately set the 
validity period to a very short value (60 days) on the *temporary* certs 
which get created during the freeradius server install to force you to 
pay attention to the fact these are temporary certs created during 
install to play around with and are not appropriate for deployment (at 
least not without editing the configuration files to set the values to 
your organization).

Thus I would check the following:

1) Is the CA cert still valid?

2) Is the CA cert used to sign the client cert the same one in the CA 
cert bundle the server is using.

You could go back to square one if the above does not help you.

1) Clean all the certs in /etc/raddb/certs by cd'ing to that directory 
and running "make destroycerts"

2) Then run "make client", that should recreate the *both* the CA cert 
and the server cert first, then it will create the client cert signed by 
the new CA.

3) restart the server and and redeploy the client cert.

> Do certs need to be generated differently in Fedora-17 freeradius?

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list