Hi.
Eshun Benjamin wrote:
Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA
certificate.
The CA_path folder is empty and the CA_file is commented
Hi Reimer,
How do you check if FreeRadius is actually sending the chain?
I find Wireshark useful for this. It re-assembles the fragmented TLS
handshake, which makes it much easier to understand...
josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Rafa Marín López wrote:
Reimer Karlsen-Masur, DFN-CERT escribió:
Hi Karlsen,
thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline
documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
Hi,
in the file referenced by the option variable certificate_file in the tls
section only put the server certificate (and optionally the private key) of
your RADIUS server.
i.e. don't put ca certificates of the chain into that file.
I don't know how to prevent the client from sending CA
Is there any way to configure free radius + eap-tls module to avoid to send CA
certificate during EAP-TLS negotiation?
You may have to read the RFC :-). You need the certificates to do EAP-TLS
==
Benjamin K. Eshun
- Message d'origine
Hi,
Is there any way to configure free radius + eap-tls module to avoid to send
CA certificate during EAP-TLS negotiation? As Free Radius is sending it right
now EAP-TLS packets get fragmented and I would like to avoid it.
err, no. you need to handle those fragmented packets. where is it
Hi,
sowhos breaking the RFCs with respect to ICMP and pmtu? ;-)
I've been hunting one such case recently. Just in case it helps: in our case
it was a BSD firewall that was misconfigured to only allow non-fragmented UDP
packets. I'm not into BSD at all, the guy said something about this
Hi Benjamin
2007/6/20, Eshun Benjamin [EMAIL PROTECTED]:
Is there any way to configure free radius + eap-tls module to avoid to
send CA certificate during EAP-TLS negotiation?
You may have to read the RFC :-). You need the certificates to do EAP-TLS
Yes that's clear to me that you need to
Hi Alan,
err, no. you need to handle those fragmented packets. where is it failing,
on your network or more
remotely?
Actually, it is not failing. I got a successful authentication I was only
trying to avoid fragmentation if possible.
EAP-TLS places much larger demands on the packet sizes
Hi Karlsen,
2007/6/20, Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED]:
Hi,
in the file referenced by the option variable certificate_file in the
tls
section only put the server certificate (and optionally the private key)
of
your RADIUS server.
I think this might work (after some tests i
Rafa Marin wrote:
Hi Karlsen,
2007/6/20, Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]:
Hi,
in the file referenced by the option variable certificate_file in
the tls
section only put the server certificate (and optionally the private
key) of
: Re: Sending CA certificate during EAP-TLS
Reimer Karlsen-Masur, DFN-CERT escribió:
Hi Karlsen,
thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline
documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored
12 matches
Mail list logo