Hi I made the following change and it worked for me.
In Makefile (/usr/local/etc/raddb/certs/), I passed the input files of that of ca rather than server while creating the client certificate. Regards, Gaurav Kansal Velankani Software Private Limited, 43, Electronics City, Phase - 2, Hosur Road, Bangalore - 560100 Phone : +91 80 4037 5300/01 Extn. # 5401 Direct: +91 80 4037 5401 Fax : +91 80 4037 5303 Mobile: +91 98454 22400 [EMAIL PROTECTED] www.velankani.com "Every Customer is a Reference Customer" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 09, 2008 8:58 PM To: FreeRadius users mailing list Subject: Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS Sergio Yébenes Moreno wrote: > I think that PKI that comes with freeradius by default are shit Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use. > (./bootstrap). I had the same problem. If you see the certification > route in firefox, for example, you will see that client certificate are > signed by SERVER CERTIFICATE and this by ca certificate. Which shouldn't be a problem. > Probably you > put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf There is no configuration entry called 'ca_cert'. > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate > --> verify error:num=20:unable to get local issuer certificate > > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca) > > , and should be server.pem, or make your own ca, that signs clients and > servers certificates. The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
