freeRADIUS cert chain authentication

[Mohammed Petiwala]

Hi:

I am using freeRADIUS (0.9.3 on linux with openssl ) for EAP-TLS authentication using our in-house supplicant, we are currently using 3-tier cert chains and have been using it quite successfully for TLS authentication with OpenSSL but when we try to use these same 3-tier certs for EAP-TLS radius authentication, the freeRADIUS server is unable to send the complete cert chain as part of the server certificate instead only sends the server/aaa cert (which works fine if the certificate chain length is = 2) but anything with a cert chain of 2 will not work.

I investigated this issue further with the rlm_eap_tls module and noticed that internally freeRADIUS uses the openSSL

int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
call and i replaced it with:

int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
then i created the cert server/aaa chain in pem format by catting the aaa cert, sub-ca cert and server root cert as per openssl documentation (we've been using this in our application with openssl api and it works just fine) but then when i rebuild freeradius and try to start it up it gives me this error during init startup:

8448:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize the type tls

 

any help in this regards would be appreciated - has anyone using freeRADIUS used cert chains with length more than 2 (this same scenario works fine with a Cisco ACS AAA)

thanks.

 

Regards,

Mohammed.

---

Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.