We've noticed several people have posted their eap.conf for eap-tls
troubleshooting, and that both the check_cert_issuer and check_cert_cn are
commented out. In these configurations is freeradius just checking for the
certificate in the crl list and that the proper CA root is in the CA_file on
the freeradius server?
What is gained by using check_cert_cn?
When we have check_cert_cn enabled it seems that the User-Name is translated
differently from different types of devices. When a test user with an iPhone
tries to connect he receives errors, but the same certificate on a Microsoft
Vista wireless client is successfully authenticated. We've seen this with both
freeradius v1.1.7 and v2.1.1. Which file controls the User-Name translation?
Fri Oct 24 19:46:58 2008 : Auth: rlm_eap_tls: Certificate CN (Test User
(Company 1)) does not match specified value ([EMAIL PROTECTED])!
Fri Oct 24 19:46:58 2008 : Error: TLS Alert write:fatal:certificate unknown
Fri Oct 24 19:46:58 2008 : Error: TLS_accept:error in SSLv3 read client
certificate B
Fri Oct 24 19:46:58 2008 : Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Fri Oct 24 19:46:58 2008 : Error: rlm_eap_tls: SSL_read failed in a system call
(-1), TLS session fails.
Fri Oct 24 19:46:58 2008 : Auth: Login incorrect: [EMAIL PROTECTED] (from
client tstca-wc-c01 port 29 cli 00-23-6C-5B-1C-23)
Regards,
Kas
_________________________________________________________________
Want to read Hotmail messages in Outlook? The Wordsmiths show you how.
http://windowslive.com/connect/post/wedowindowslive.spaces.live.com-Blog-cns!20EE04FBC541789!167.entry?ocid=TXT_TAGLM_WL_hotmail_092008
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
