Hi Sergio,
In message <[EMAIL PROTECTED]>, Sergio Yébenes Moreno
<[EMAIL PROTECTED]> writes
I'm configuring freeradius server with opensc client-side. I'd like to
say if freeradius has support for PKCS#11.
In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and
TLS-Finished. This means that the server has authenticated but
freeradius show TLS error because client do not send
certificate. I think it's because PKCS#11. I'm not sure, but I really
need to know. I'm using
freeradius-server-2.0.4
The server doesn't care where the certificates and private key are
stored on the client side; the use of PKCS#11 and a smartcard or token
is irrelevant and the server needs no special support for PKCS#11.
The only way the use of the smartcard or token could change things is if
your supplicant needs the entire certificate chain on the smartcard or
token, and you've only loaded the certificate itself.
The only reason the server would need PKCS#11 support is if the server's
certificate were on a smartcard or token. It's an intriguing idea, but I
have my doubts that a smartcard or token would keep up with the demands
placed on it.
As Nicolas said, the debug log on the server side almost certainly
contains the answer to this - that's where you should be looking.
Run radiusd -X and attempt to authenticate using wpa_supplicant and your
token or smartcard. What does the server's debug output say? If you can
see the server rejecting the authentication attempt, look back for the
reason. If the server accepts the authentication attempt, the problem is
elsewhere.
Best wishes,
David
--
David Wood
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
