Radius Server and Radsecproxy Certificate problem

Alan DeKok aland at deployingradius.com
Sun Jan 4 20:52:58 CET 2015

On Jan 4, 2015, at 12:22 PM, Ankit Prajapati <prajapati.ankit85 at gmail.com> wrote:
> I am trying to setup radsec using freeradius version 3.0.3.

  You should upgrade to 3.0.6.  It won’t fix this issue, but it’s generally netter.

> I have generated self-signed certificate on my freeradius server using openssl commands . I have generated CA ,client ,server. , and using same certificate for radsecProxy

  Your certificates are wrong. The debug output shows this.
> (0) <<< TLS 1.0 Alert [length 0002], fatal unknown_ca 
> (0) ERROR: TLS Alert read:fatal:unknown CA
> (0) ERROR: TLS_accept: Failed in SSLv3 read client certificate A

  That’s pretty clear.  The client certificate being presented by radsecproxy is signed by a CA.  FreeRADIUS doesn’t know anything about that CA.

  You need to use ONE CA certificate.  Put that on both systems.  Then, use that CA to create a server certificate.  Put that on FreeeRADIUS.  Then, use that CA to create a client certificate.  Put that on radsecproxy.

  Alan DeKok.

More information about the Freeradius-Users mailing list