Jeffrey Sewell wrote: > In the eap.conf, tls section, the comments say to use the 'CA_path' > variable in the radiusd.conf file to indicate where the trusted CA > chain will reside. However, this variable isn't in the tls section of > the radiusd.conf file (it is in the LDAP section, but I'm pretty sure that > won't help me) or the eap.conf file (where I thought it might > have moved). As an experiment, I added it to eap.conf and it loaded ok > with the following output: > > tls: CA_path = "/usr/local/etc/raddb/certs/rootCA" > ... > tls: CA_file = "(null)" > > Unfortunately the CA_file is the imporant one as I discovered when I > tested the link: > > Fri Jan 19 09:51:05 2007 : Error: TLS Alert write:fatal:unknown CA > > So where is the appropriate place for the root chain?
for eap-tls and eap-ttls in eap.conf in the eap section and thereof in the tls section put the server certificate of your radius server into the file eap { ... tls { ... private_key_file = ${raddbdir}/certs/radius-server-key.pem certificate_file = ${raddbdir}/certs/radius-server-cert-and-chain.pem ... } ... } and then *add* the appropriate chain ca certificates to this file. Additionally if you do *not* use eap-tls you want CA_path= point to an existing *empty* directory and you do *not* want to specify the CA_file option. eap { ... tls { ... # CA_file = /dev/null CA_path = ${raddbdir}/certs/trustedCAs-emptydir/ verify_depth = 1 ... } ... } If you were looking to use the radius server as *LDAP client* to a backend LDAP database above options are not relevant for the LDAP client part. In this case you need to fiddle with the options in radiusd.conf under modules and thereof under the ldap section: modules { ... ldap { ... # start_tls = no # tls_cacertfile = ${raddbdir}/certs/trusted-root-CA-certs-for-ldap-server.pem # tls_cacertdir = ${raddbdir}/certs/trusted-root-CA-certs-dir-for-ldap-server/ # tls_keyfile = ${raddbdir}/certs/radius-ldap-client-key.pem # tls_certfile = ${raddbdir}/certs/radius-ldap-client-cert-and-chain.pem # tls_randfile = ${raddbdir}/certs/rnd # tls_require_cert = "demand" ... } ... } HTH -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007 Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/
smime.p7s
Description: S/MIME Cryptographic Signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html