Hello, i have a problem with chained ca certificats and eap/tls.
my former setup was with simple selfsigned certificates and everything went perfect, but now i have to change the setup for the certificates to a third party ca, they use a root ca and a signing ca signed by the root ca, this subca signed the server certificate. what i've done: i copied the 2 certificates of the root and signing ca together. the radius starts up fine, all certificates were loaded. but no client can connect the build in windows clients finds no client certificate for the chosen root ca. i've tested also the AEGIS Client, with the result, that he does the handshake, but never receives the accept. to point it out, everything run well, till i changed the certificates, does the radius in any point cannot deal right with this certifiactes? LOG of the radius with the winxp client Mon Nov 6 15:02:21 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Nov 6 15:02:21 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Nov 6 15:02:21 2006 : Error: --> verify error:num=20:unable to get local issuer certificate Mon Nov 6 15:02:21 2006 : Error: TLS Alert write:fatal:unknown CA Mon Nov 6 15:02:21 2006 : Error: TLS_accept:error in SSLv3 read client certificate B Mon Nov 6 15:02:21 2006 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Mon Nov 6 15:02:21 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. LOG of the radius with the aegis client Mon Nov 6 15:49:24 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Nov 6 15:49:24 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Nov 6 15:49:27 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Nov 6 15:49:27 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Nov 6 15:49:27 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Nov 6 15:49:27 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Nov 6 15:49:27 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Nov 6 15:49:27 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Nov 6 15:49:27 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Nov 6 15:49:31 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Nov 6 15:49:31 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Nov 6 15:49:31 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Nov 6 15:49:31 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Nov 6 15:49:31 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Nov 6 15:49:34 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Nov 6 15:49:38 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Nov 6 15:49:38 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Nov 6 15:49:38 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Nov 6 15:50:08 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Nov 6 15:50:08 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Nov 6 15:50:08 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) debug of the radius with the aegis client Sending Access-Accept of id 220 to 141.76.5.1 port 20002 User-Name = "**" Session-Timeout = 640 Trapeze-VLAN-Name = "FRZWLAN" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 MS-MPPE-Recv-Key = 0x24db9d7012cfb4ca813bf63823b126e75415d30a13e9154bf24d916c529a68eb MS-MPPE-Send-Key = 0x835531ba6b327ee15cbe969e9d35a1a7ea0d571bc292e254b2f7856641492926 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 and after this message nothing happends, the client does a new request and the radius handles the request as a new one i have no idea where i should continue my search...... :( ciao Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html