On Wed, 16 Mar 2005 00:27:03 -0600, Jon Franklin <[EMAIL PROTECTED]> wrote:
> On Wed, 16 Mar 2005 00:09:09 -0600, David Duchscher <[EMAIL PROTECTED]> wrote:
> > I am a little behind you at the moment so really hoping this helps you.
> >
> > Have you set CA_path in the configuration file to point somewhere else?
> > From the code, it looks like CA_path is set to default if you don't
> > set it in the configuration file.
>
> I haven't. I may have misunderstood the comments in the eap.conf
> file, but my take on it was that CA_path is used for crl checking. So
> the only time I had that variable set to something meaningful was when
> I also set check_crl = yes. And that caused all client certificate
> validation to die horribly.
>
> I'll definitely check it out tomorrow, though, and post here with the results.
Looks like this was exactly what I needed. I set CA_path to the
directory where my CA cert is, and only certificates issued by my
local CA are accepted. Here's that portion of the eap.conf:
tls {
private_key_password = dont-you-wish
private_key_file =
${raddbdir}/certs/radiusSrvprivkey.pem
certificate_file =
${raddbdir}/certs/radiusSrvprivkey.pem
CA_file = ${raddbdir}/certs/demoCA/radiusRootcert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
CA_path=${raddbdir}/certs/demoCA
#check_crl = no
check_cert_cn = %{User-Name}
}
Thank you so much for the tip!
--
Jon Franklin
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
