Hi, I am using 2.0.3 version. When I generate certificate using those files ca.cnf, server.cnf, client.cnf xpextensions Makefile which are in the directory ../raddb/certs/. Then I use "make server.vrfy" verify the server certificate, is OK. "make client.vrfy" also ok. I use EAP-TLS authentication Method, and I has modified eap.conf files, and add relative certi file as follows: .... private_key_password = radius private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem ....
The supplicant I use TeraDot1x Tester from Spirent communication. ... Configuration: Supplicant ID: test (defined in client.cnf common name) User Certificate Filename: client.pem User Key Filename: client.key Root Certificate Filename: server.pem Key password: test (same defined in client.cnf file) .... When using above configuration, the radius server will print out following error ..... rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client hello B rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. .... If I change Root Certificate Filename from server.pem to ca.pem, will come out following error. .... eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. .... If I use those certificates provided by spirent, can pass. I donot know why? Any ideas? -- Best regards! walter *************************************** Nothing is impossible! *************************************** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html