Dan,
It's unclear to me exactly:
a. what you're expecting to happen
b. what is happening
We have exactly the same setup - verisign root-intermediate-our
cert.
What happens with an XP client on our WPA EAP-PEAP network is exactly
the same as documented here:
Googling suggested that simply catting the 2 certs (server and
intermediate) into a single file (server at top, intermediate at
bottom)
and listing that in the config as the certificate_file should work
No, that's not going to work. Client machine will still look for the
intermediate CA in
So there is no way at all to get the client to pick up the cert chain
without directly installing the intermediate cert on it?
No.
Is this
actually a client issue of it refusing to use chains for this then,
rather than a FreeRADIUS issue of it not passing the chain?
Yes.
Thanks very much for
Meyers, Dan wrote:
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which
does
not require a client certificate. My understanding however is that
for
passing of the server certificate to validate our server to the
clients
the options with the tls subsection of the eap.conf
We have exactly the same setup - verisign root-intermediate-our cert.
What happens with an XP client on our WPA EAP-PEAP network is exactly
the same as documented here:
Also - for info, when I take a tcpdump of eapol_test against
FreeRadius, the TLS records over EAP go as follows:
C :
My client is still giving the same behaviour of not getting the
certificate chain, however.
OK. So which certificate signed the client certificate?
Sorry, i'm still getting to grips with this system after the previous
admin of it left. I've adminned FreeRADIUS before, but never done any of
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which does
not require a client certificate. My understanding however is that for
passing of the server certificate to validate our server to the clients
the options with the tls subsection of the eap.conf file are still used.
For
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which
does
not require a client certificate. My understanding however is that
for
passing of the server certificate to validate our server to the
clients
the options with the tls subsection of the eap.conf file are still
used.
Googling suggested that simply catting the 2 certs (server and
intermediate) into a single file (server at top, intermediate at bottom)
and listing that in the config as the certificate_file should work
No, that's not going to work. Client machine will still look for the
intermediate CA in it's
Remember when you put your Root CA file (and perhaps the CRL for that
CA) into your certificate directory, and ran 'c_rehash cert
directory'?
If you mean when I installed ssl certs for Apache, I never did this. I
simply put the server cert and the chain file on the server, then
configured
What i've got currently can be up to 3 files. Firstly, the server
certificate itself, which has been signed by Verisign's Intermediate CA,
then the cert for said Intermediate CA, and finally the root cert used
to sign the Intermediate CA. My current setup is with the server cert in
a file on it's
I've actually dropped the -crl_check from this test, as i'm not doing
crl checking within FreeRADIUS until i've got it working without it.
Also, this command didn't seem to work when my verisign.pem contained
1 cert, even after a c_rehash, it only worked if all the certs were
in
individual
My client is still giving the same behaviour of not getting the
certificate chain, however.
OK. So which certificate signed the client certificate?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Remember when you put your Root CA file (and perhaps the CRL for that
CA) into your certificate directory, and ran 'c_rehash cert
directory'?
Well - it's just like that. You might have had RootCA.pem with the
Verisign CA certificate. Personally - I like to have a separate file
for each
I'm sure I must just be being thick with our FreeRADIUS config, but i've
completed failed to find anything online or in the docs explaining
*what* i'm doing wrong, so i'm posting here.
We've had a FreeRADIUS server set up for some time now, with an SSL
certificate directly signed by one of
15 matches
Mail list logo