Possible certificatre problem

Alan DeKok aland at deployingradius.com
Sat Jul 2 17:00:20 CEST 2016


On Jul 2, 2016, at 10:47 AM, Henrik Kressner <kressner at synkro.dk> wrote:
> Thanks for you comment, but now you are making assumption.

  I'm going by what you said.  And what you said contradicts itself.

> I did asume that the station was the one that needed a certificat, but it did not say so in the howto, so I had to ask.

  The howto is correct.  It tells you what you're supposed to do.  If it doesn't say "put the certificate on the AP", then the certificate isn't on the AP.

  The howto has been up for about 15 years now.  The *only* times that people have had problems with it are:

1) a few minor typos that were quickly fixed

2) when people don't follow the instructions.

> And by the way, the howto say it is NOT needed to make a client certificate, so I should not asume there is a client, even though make is trying to make af client certificate, and ends up with an error, if you dont configure it.
>
> And again, a client in radius enviroment MUST BE a NAS, so howto is not consistent.

  The terminology is inconsistent, because the standards define the terms inconsistently.  That's life.

> I could be complaining about the bad documentation, theres no need for that, it's bad, the hole net knows it, so let us try to do something about it.

  The problem is that you can't even follow the documentation which already exists.

> To me it looks like there is a need for certificate at the station, this means that self signed certificat is not usable in a production environment.

  No, and no.  Both statements are wrong.

> Therefore I will conclude you ned a comersially certificate, if using freeradius in af production environment.

  No, that's wrong.

> It would be nice if that was there somewhere in the documentation, so you know that before you start.

  We don't mislead people in the documentation.  So we don't add that.

> Then a quistion: Will freeradius work with letsencrypt certificate, has anybody tried?

  It's just a certificate.

> Please correct me if my conclution is wrong.

  I've been trying, believe me.

  And I'll note that you're (again) arguing here.  And arguing about different topics.  So I'll repeat myself:

  You need to put the CA on the Windows machine.  Have you done that?

a) yes - it will start working

b ) no - you want to waste your time arguing instead of solving the problem.

  Alan DeKok.




More information about the Freeradius-Users mailing list