Hi:
I am using freeRADIUS (0.9.3 on linux with openssl ) for EAP-TLS authentication using our in-house supplicant, we are currently using 3-tier cert chains and have been using it quite successfully for TLS authentication with OpenSSL but when we try to use these same 3-tier certs for EAP-TLS radius authentication, the freeRADIUS server is unable to send the complete cert chain as part of the server certificate instead only sends the server/aaa cert (which works fine if the certificate chain length is = 2) but anything with a cert chain of 2 will not work.
I investigated this issue further with the rlm_eap_tls module and noticed that internally freeRADIUS uses the openSSL
int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);call and i replaced it with:
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);then i created the cert server/aaa chain in pem format by catting the aaa cert, sub-ca cert and server root cert as per openssl documentation (we've been using this in our application with openssl api and it works just fine) but then when i rebuild freeradius and try to start it up it gives me this error during init startup:
8448:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATErlm_eap_tls: Error reading certificate filerlm_eap: Failed to initialize the type tls
any help in this regards would be appreciated - has anyone using freeRADIUS used cert chains with length more than 2 (this same scenario works fine with a Cisco ACS AAA)
thanks.
Regards,
Mohammed.
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
