Hi again: I have just tried with both CN that I could found at my 'client certificate' subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailaddress=u...@example.com issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailaddress=ad...@example.com/CN=radiusserv.esrf.fr So I have tested with: - Server or Certificate Name == swatzy01.esrf.fr - Server or Certificate Name == radiusserv.esrf.fr But with the same result: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. I have already done also what "Ivan Kalik" said (altering certs/Makefile to sign client certificates with ca certificate instead of server certificate.) Because of that, "Microsoft: Smart Card or other Certificate" works fine right now (not before) But I'm still not able to perform "Intel: EAP-TTLS" with "PAP user/password", "Server Certificate Validation" + "Specify Server or Certificate Name" (if I remove last part... also works fine!!) thanks in advance for all your kindly help. regards, Fernando. Alan Buxey wrote: Hi,...and I guest it is not due to the "Client Certificate" because it was succeed authenticated in the previous tests Probably is due to I am not sure what I should write in the box reserved for "Server or Certificate Name" (on the "Step 2 of 2" at the supplicant windows software) Anyone knows what I should write at this box? I could not find a "server name" or "domain name" at the certificate (as it is explained on the "windows in-line help")this will be the CN of your server certificate. so, if , when your RADIUS server got signed by the CA it became known as eg radius.happyorg.org then the name you put into the client is radius.happyorg.org dotn forget, this is NOT a DNS name - it is purely a 'label' - just the CN of the server.... and you must have the CA present to check that server cert has been signed by your trusted CA (for otherwise anyone can make a server have a dumb cert with radius.happyorg.org as its CN alan |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html