rightid=Radius-1_Svr@test <<< aaa_identity="C=JP, O=XXX, CN=Radius-1_svr@test" I'm fishing in the dark but I tried setting the same name of the server's certificate.But I got the same error "access denied". My parameters are wrong?# StrongSwan5.3.5 Regards,
On Monday, 29 February 2016, 4:56, yukou katori <[email protected]> wrote: Thanks, Noel. > 'C=ES, O=ACCV, CN=ACCVRAIZ1'Now I set as follows "C=JP, ST=Some-State, O=XXX, >OU=TSO, CN=Radius-1_CA@test" on CA. "C=JP, ST=Some-State, O=XXX, OU=TSO, >CN=Radius-1_Svr@test" issued by on the CA. #self-signed certificate And I set as follows on StrongSwan:# eap-ttls-radius configuration rightid=Radius-1@test aaa_identity="C=JP, O=XXX, CN=Radius-1_svr@test" Regards, On Monday, 29 February 2016, 4:44, Noel Kuntze <[email protected]> wrote: Now you're just fishing in the dark and guessing. The format of the certificate is irrelevant. Read the log you pasted and fix the > Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to > 'C=ES, O=ACCV, CN=ACCVRAIZ1' I guess that's from the client. Where did you set that DN? Regards, Noel On 28.02.2016 20:37, yukou katori wrote: > Hi, Noel > > Or this "access denied" can come from pkcs format? > pkcs#7 is used in this case, pkcs#12 should be used? > > Regards, > > > On Sunday, 28 February 2016, 15:20, yukou katori <[email protected]> > wrote: > > > Hi, Noel > > Thanks. > I complied again to isolate this problem. > The reason why no item about certificates was shown by "ipsec listall" came > from that I imported incorrect certificate from FreeRadius. > Now I could get the item about CA by "ipsec install". > > But I get the same error yet. > > What does "access denied" mean? > This is for TLS 1.2 but, it means: > access_denied > A valid certificate was received, but when access control was > applied, the sender decided not to proceed with negotiation. This > message is always fatal. > from rfc5246 > > Access control? > > I complied like this: > ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc > --enable-eap-identity --enable-eap-tls --enable-eap-peap --enable-eap-ttls > --enable-eap-mschapv2 --enable-eap-md5 > > Regards, > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
