Hi Nelson/Alan: the problem seems to be the issue with freeRADIUS not able to authenticate certificate chains of length greater than 2. In Nelson's case the cert chain is CA->RA->user-cert so Nelson will have to apply the patch 112 in bugs.freeradius.org and refer to my email on using freeradius with a cert chain: http://lists.cistron.nl/pipermail/freeradius-devel/2004-July/007379.html and also, http://www.mail-archive.com/[EMAIL PROTECTED]/msg07928.html
apply this patch on 1.0.0 release of freeradius and it should work for cert chain authentication with eap-tls, eap-peap.... Alan - would be good if you could get this patch in the freeradius release as this would give the same capability of cert chain authentication to freeradius as most commercial radius servers... thanks. regards, mohammed. Mohammed H. Petiwala Senior Staff Engineer Motorola Inc. --- Alan DeKok <[EMAIL PROTECTED]> wrote: > Nelson Murilo <[EMAIL PROTECTED]> wrote: > > rlm_eap_tls: <<< TLS 10 Alert [ length 0002], > fata unknown_ca > > The user certificate isn't signed by a CA known to > the server. > > > My certificate chain have: > CA->RA->user_certificate, so > ... > > (I thinking I don't need use RA certificate) > > The debug logs would appear to disagree with you. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
