FreeRADIUS EAP-TLS Auth. Issues
SENECAUX Ludovic
Ludovic.SENECAUX at lenord.fr
Tue Jan 23 14:54:16 UTC 2024
I checked again my 2 radius servers ; if I set " reject_unknown_intermediate_ca = yes" :
- 3.0.20 (PROD) : eap-tls auth. is ok
- 3.2.3 (DEV): eap-tls auth. is broken
Same OS version, same OpenSSL version, same Radius config.
-----Message d'origine-----
De : Freeradius-Users <freeradius-users-bounces+ludovic.senecaux=lenord.fr at lists.freeradius.org> De la part de Alan DeKok
Envoyé : mardi 23 janvier 2024 15:08
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Objet : Re: FreeRADIUS EAP-TLS Auth. Issues
Soyez vigilant, ce courriel est émis depuis l'extérieur. N'ouvrez les fichiers ou cliquez sur les liens que si vous êtes sûr de l'adresse mail de l'expéditeur.
On Jan 23, 2024, at 8:51 AM, SENECAUX Ludovic <Ludovic.SENECAUX at lenord.fr> wrote:
>
> I set "auto_chain = yes" ; the result is the same.
>
>> ca_file = ${cadir}/chain.pem
> This file already contains rootca and subca certificates.
OK, that's good.
>>> Certificate chain - 1 cert(s) untrusted
>>> (TLS) untrusted certificate with depth [1] subject name /CN=SubCA
>>> (TLS) untrusted certificate with depth [0] subject name /CN=device
>> Which certificates are those for? rootca.pem? subca.pem?
>
> The device cert is signed by subca, which is signed by rootca.
Except the rootca isn't printed out in that list. So for some reason it's not loading the rootca.
Alan DeKok.
-
List info/subscribe/unsubscribe? See https://antiphishing.vadesecure.com/v4?f=SVN0TjFBb1k5Qk8zQ2E1YSrRLmYqeZ4CQFZXD_pm_xtpYJg9JmuPyLyKNWGICDwsf3gvVk0qHpMOFGXRELsvQd_FA2B04QN3aJcbl0RrNKBGVeAQk-Wl6iM6th5VxYeO&i=YXJwbnI5ZGY3YXM2MThBYezeqTizee_5721_-Y9DL7c&k=ogd1&r=d2RpVFJVaTVtcFJRWFNMYgsbdMTq2ogOLg2MwBHq7IaDg16YOAtn1Buy335oUHIa&s=27a26c1b683e19aa7a80219b35a556920f8f59e418707e67e98f710738d555dd&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html
More information about the Freeradius-Users
mailing list