Machine auth fails but user auth works

Dennis Xu dxu at uoguelph.ca
Fri Dec 4 23:24:13 CET 2015


I have listed all root and intermediate CAs in the eap file:
 

                certificate_file = ${certdir}/ThawteCert.cer

                #  Trusted Root CA list
                #
                #  ALL of the CA's in this list will be trusted
                #  to issue client certificates for authentication.
                #
                #  In general, you should use self-signed
                #  certificates for 802.1x (EAP) authentication.
                #  In that case, this CA file should contain
                #  *one* CA certificate.
                #
                ca_file = ${cadir}/SSL_PrimaryCA.pem
                ca_file = ${cadir}/SSL_SecondaryCA.pem
                ca_file = ${cadir}/thawte_Premium_Server_CA.pem

The server certificate and its configuration should be ok, otherwise the user authentication would fail as well.  

If the server is trying to valid client certificate, it will fail for sure as there is no certificate on clients and I don't think that is required for PEAP.

Dennis



----- Original Message -----
From: "Arran Cudbard-Bell" <a.cudbardb at freeradius.org>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Friday, December 4, 2015 2:29:42 PM
Subject: Re: Machine auth fails but user auth works


> On 4 Dec 2015, at 14:23, Dennis Xu <dxu at uoguelph.ca> wrote:
> 
> PEAP does not need to check certificate on client. It is not EAP-TLS. Is there an option to disable the client side certificate validation?
> 
> No we don't have PKI, so not the same CA as AD. It is just a third party trusted CA from Thawte.

You need to bundle as much of the certificate chain as required in the server certificate file, to allow the client to establish the trust relationship from one of its roots to your certificate.

So you need your server cert, and the intermediary CAs all concatenated together in the same file.  Easiest to do this with PEM, as you can just cat >> the base64 armoured certs together.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list