In working with Radiator and Apple devices, I am have problems with the RADIUS
server certificate being verified by the client. In discussion with DigiCert,
they suggest that Radiator is not correctly giving out the intermediate
certificates to the client. I am able to authenticate other devices so I don't
think that is a problem but something is keeping the Apple devices from
correctly authenticating.
The syntax that I am using in Radiator is as follows:
EAPType PEAP
# CAChain contains 2 intermediate certificates and the root
certificate concatenated like this Inter1->Inter2->Root
EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt
EAPTLS_CertificateFile
%D/certificates/DigiCert/weiland_camc_hsi.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key
EAPTLS_MaxFragmentSize 1000
DigiCert has suggested to test for the intermediate certificates by the method
quoted below using OpenSSL. When I tested it using port 1812 or 443 all I
received was the error message Connection refused:errno 29 Would you be able
to test a certificate chain in this way? Would you need a 802.1x client to
handshake before the X.509 certificate would be transmitted? Trace 4 shows
Radiator handing out the certificate but even though the Apple clients have the
appropriate root certificate, they can't verify the server certificate and
there doesn't seem to be any problem with the server certificate since other
devices don't seem to complain about it.
Any suggestions as to what else I can look at?
Todd Smith
>Before going that direction, I think it would be valuable to determine whether
>the server is sending any intermediate certificates at all. The current
>>certificate you have requires two intermediates to chain properly, while the
>reissue I'm suggesting would require just one intermediate. But if the server
>is sending no intermediates, then neither option would resolve the issue.
>Can you try connecting to the RADIUS server using OpenSSL to check the
>certificate chain? From a workstation or server with OpenSSL that can access
>the RADIUS server (or from the RADIUS server itself), you would run this
>command:
openssl s_client -connect weiland.camc.hsi:<radius_ssl_port>
where <radius_ssl_port> is the ssl port number on the RADIUS server
Confidentiality Note: The information contained in this message
may be privileged and confidential. If this e-mail contains
protected health information, you are hereby notified that any
dissemination, distribution or copying of this communication is
strictly prohibited,except as permitted by law. If you have
received this communication in error, please notify the sender
immediately by replying to this message and deleting it from your
computer. Thank you.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
