* Vegard Svanberg <[EMAIL PROTECTED]> [2008-10-07 12:16]:
> > Perhaps you should bother reading the mysteriously named file README in
> > /certs directory before asking questions.
>
> Seems the file got lost during the transition from 1.x. Thanks!
Hm, something is not working right, but I'm not sure where. Created (ca,
server, client) certificates per the instructions in the README file.
Enabled EAP-TLS in eap.conf and verified that paths etc are correct.
Then created the client certificate and imported it on the client. -X
gives me this before it fails:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1497
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 0393], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> testuser2
Also, openssl can't verify the generated client certificate:
$ openssl verify -CAfile ca.pem client.pem
client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/[EMAIL
PROTECTED]
error 20 at 0 depth lookup:unable to get local issuer certificate
Oh BTW, there is a small error in the README, on line 132 it reads:
> The users certificate will be in "commonName.pem",
> i.e. "[EMAIL PROTECTED]".
This is wrong; the Makefile is using emailAddress.
--
Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
