Failure with "TLS authentication" and "Freeradius on Fefora-17"
ajaygargnsit at gmail.com
Mon Jan 7 20:41:07 CET 2013
I am indeed looking for a ground-zero-solution :)
On Tue, Jan 8, 2013 at 12:14 AM, John Dennis <jdennis at redhat.com> wrote:
> On 01/07/2013 12:18 PM, Ajay Garg wrote:
>> Thanks Alan, and A.L.M.
>> I too thought the same looking at the "decrypt failure messages".
>> As I told in my startup-mail on this thread, the procedure ::
>> su -
>> cd /etc/raddb/certs
>> make clean
>> make client.pem
>> makes TLS-authentication works perfectly fine for Fedora-14-freeradius,
>> but not for Fedora-17-freeradius (and I am talking of the vanilla
>> "gnome-way" of connecting, as is evident from the snapshot).
> First of all there is no such version as Fedora-XX-freeradius, there is
> however the version of freeradius which happens to be installed. At
> different points in time Fedora releases will have had different versions
> of freeradius available. You can find out which version you have installed
> via either
> rpm -q freeradius
> yum innfo freeradius
> It's a little hard to tell from you're series of steps but I suspect
> you're not using a client cert signed by the CA you've configured.
> Or the issuing signer (the CA) cert has expired. We deliberately set the
> validity period to a very short value (60 days) on the *temporary* certs
> which get created during the freeradius server install to force you to pay
> attention to the fact these are temporary certs created during install to
> play around with and are not appropriate for deployment (at least not
> without editing the configuration files to set the values to your
> Thus I would check the following:
> 1) Is the CA cert still valid?
> 2) Is the CA cert used to sign the client cert the same one in the CA cert
> bundle the server is using.
> You could go back to square one if the above does not help you.
> 1) Clean all the certs in /etc/raddb/certs by cd'ing to that directory and
> running "make destroycerts"
> 2) Then run "make client", that should recreate the *both* the CA cert and
> the server cert first, then it will create the client cert signed by the
> new CA.
> 3) restart the server and and redeploy the client cert.
Upon restarting, it shows a "missing server.pem" error.
I reckon that we need to run "make server" too at some point of time (so
that "server.pem" gets generated after "make destroycerts").
HOWEVER, I am now confused which "ca.pem" to consider, the one generated
via "make server", or the one generated via "make client"?
> Do certs need to be generated differently in Fedora-17 freeradius?
> John Dennis <jdennis at redhat.com>
> Looking to carve out IT costs?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users