Hi Todd, there were some recent postings on this topic on this list under the subject
Can't get chain certificates to work by "Stephen A. Felicetti" David Zych and Andrew Clark with a solution On Saturday 20 November 2010 06:55:02 am Smith, Todd wrote: > In working with Radiator and Apple devices, I am have problems with the > RADIUS server certificate being verified by the client. In discussion with > DigiCert, they suggest that Radiator is not correctly giving out the > intermediate certificates to the client. I am able to authenticate other > devices so I don't think that is a problem but something is keeping the > Apple devices from correctly authenticating. > > The syntax that I am using in Radiator is as follows: > > EAPType PEAP > # CAChain contains 2 intermediate certificates and the root > certificate concatenated like this Inter1->Inter2->Root EAPTLS_CAFile > %D/certificates/DigiCert/CAChain.crt > EAPTLS_CertificateFile > %D/certificates/DigiCert/weiland_camc_hsi.crt > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile > %D/certificates/DigiCert/weiland_camc_hsi.key > > EAPTLS_MaxFragmentSize 1000 > > DigiCert has suggested to test for the intermediate certificates by the > method quoted below using OpenSSL. When I tested it using port 1812 or 443 > all I received was the error message Connection refused:errno 29 Would you > be able to test a certificate chain in this way? Would you need a 802.1x > client to handshake before the X.509 certificate would be transmitted? > Trace 4 shows Radiator handing out the certificate but even though the > Apple clients have the appropriate root certificate, they can't verify the > server certificate and there doesn't seem to be any problem with the server > certificate since other devices don't seem to complain about it. > > Any suggestions as to what else I can look at? > > Todd Smith > > >Before going that direction, I think it would be valuable to determine > > whether the server is sending any intermediate certificates at all. The > > current >certificate you have requires two intermediates to chain > > properly, while the reissue I'm suggesting would require just one > > intermediate. But if the server is sending no intermediates, then > > neither option would resolve the issue. > > > >Can you try connecting to the RADIUS server using OpenSSL to check the > > certificate chain? From a workstation or server with OpenSSL that can > > access the RADIUS server (or from the RADIUS server itself), you would > > run this command: > > openssl s_client -connect weiland.camc.hsi:<radius_ssl_port> > where <radius_ssl_port> is the ssl port number on the RADIUS server > > Confidentiality Note: The information contained in this message > may be privileged and confidential. If this e-mail contains > protected health information, you are hereby notified that any > dissemination, distribution or copying of this communication is > strictly prohibited,except as permitted by law. If you have > received this communication in error, please notify the sender > immediately by replying to this message and deleting it from your > computer. Thank you. > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
