Failure with "TLS authentication" and "Freeradius on Fefora-17"

Ajay Garg ajaygargnsit at gmail.com
Mon Jan 7 20:41:07 CET 2013


Thanks John

I am indeed looking for a ground-zero-solution :)


On Tue, Jan 8, 2013 at 12:14 AM, John Dennis <jdennis at redhat.com> wrote:

> On 01/07/2013 12:18 PM, Ajay Garg wrote:
>
>> Thanks Alan, and A.L.M.
>>
>> I too thought the same looking  at the "decrypt failure messages".
>>
>> As I told in my startup-mail on this thread, the procedure ::
>>
>>                            su -
>>                            cd /etc/raddb/certs
>>                            make clean
>>                            make client.pem
>>
>> makes TLS-authentication works perfectly fine for Fedora-14-freeradius,
>> but not for Fedora-17-freeradius (and I am talking of the vanilla
>> "gnome-way" of connecting, as is evident from the snapshot).
>>
>
> First of all there is no such version as Fedora-XX-freeradius, there is
> however the version of freeradius which happens to be installed. At
> different points in time Fedora releases will have had different versions
> of freeradius available. You can find out which version you have installed
> via either
>
> rpm -q freeradius
>
> or
>
> yum innfo freeradius
>
> It's a little hard to tell from you're series of steps but I suspect
> you're not using a client cert signed by the CA you've configured.
>
> Or the issuing signer (the CA) cert has expired. We deliberately set the
> validity period to a very short value (60 days) on the *temporary* certs
> which get created during the freeradius server install to force you to pay
> attention to the fact these are temporary certs created during install to
> play around with and are not appropriate for deployment (at least not
> without editing the configuration files to set the values to your
> organization).
>
> Thus I would check the following:
>
> 1) Is the CA cert still valid?
>
> 2) Is the CA cert used to sign the client cert the same one in the CA cert
> bundle the server is using.
>
> You could go back to square one if the above does not help you.
>
> 1) Clean all the certs in /etc/raddb/certs by cd'ing to that directory and
> running "make destroycerts"
>

Done.



>
> 2) Then run "make client", that should recreate the *both* the CA cert and
> the server cert first, then it will create the client cert signed by the
> new CA.
>

Done.



>
> 3) restart the server and and redeploy the client cert.


Upon restarting, it shows a "missing server.pem" error.
I reckon that we need to run "make server" too at some point of time (so
that "server.pem" gets generated after "make destroycerts").

HOWEVER, I am now confused which "ca.pem" to consider, the one generated
via "make server", or the one generated via "make client"?



>
>
>  Do certs need to be generated differently in Fedora-17 freeradius?
>>
>
>
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130108/3fe9430b/attachment.html>


More information about the Freeradius-Users mailing list