On 05/13/2013 01:46 PM, Mitch Yackobeck wrote:
Good afternoon All,
I've taken some time over the last couple little while to work with my
test environment in getting it upto date and trying out some issues with
regards authenticating against multiple certificates on a single SSID
for the purpose of migration to a new root certificate while still
continuing to function with the old in the transition phase.
What I'm finding tho is that when I try to authenticate against that
particular server, which now has both its own certs applied and the root
cert from my production server as well to replicate the instance of a
new root being installed, is that I can authenticate a user with the
specific certs for the test server, but not a client using certs for the
production server.
I've taken a few captures of the server coming online using -X, an
attempted connection with the production certs and also the
configuration of my eap.conf file. I can see in initial stages that the
EAP-TLS actually reads a bit of what the client is passing, enough to
say that it has a valid client cert. But when it comes back to dive
deeper into the cert, it appears that it does not recognize the CA as
being there and bottoms out the request with a reject.
I've got both roots in a single file in the directory specified and when
I do an openssl verify on the roots, it does come back :ok. I found
some articles on how to link up the new certificate in openssl so that
it can at least read it properly as trusted. But the FR server appears
not to recognize it on the second pass. Perhaps I'm missing something,
but is it even possible to authenticate using both root CA's at one time?
Thank you in advance for any assistance / guidance anyone can provide
with this.
A couple of hints:
Do write comprehensible prose where you state the goal, what you've
done, and your analysis.
Do not send jpg images!
Do send the output of radiusd -X.
Since you live and work in Ontario I can only assume you're a native
English speaker. Reread your first paragraph, it's incomprehensible
gibberish. In order to communicate with others it would behoove you to
learn sentence and paragraph structure. Do you really work for a school
system? Sorry, I don't mean to be snarky but I read your email 3 times
and although I can approximate the problem you're encountering it's so
lost amid the poor writing I for one am not inclined to help. Writing
still matters and pictures will never be a substitute.
Would you like to try this again but with something comprehensible and
which follows the rules of the list (i.e. include the output of radiusd -X).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
