On Sun, 31 Jan 2010, Alan Buxey wrote:
Hi,
to these servers" client field, just enter the 'common name' entered on
the certificate? I wonder if a wildcard cert would work for this. As in
*.myorg.ca, then entering *.myorg.ca for client servers field. Just asking
because I have one of those.
depends on supplicant - some understand wildcards...some just need the
domain name to be specified
In the README file there is this warning:
"You will have to ensure that the certificate contains the XP
extensions needed by Microsoft clients."
But I can't find any further information about it. How do I ensure my
certificate has these extensions? Would a CA signed cert have this?
check the FreeRADIUS certificate makefile - you can see the xpextensions
file and the required attributes. you can use the openssl tool to view
the certificate in text mode - whethr the CA will sign it - you
may have to request this functionality
I generated a server certificate using the provided documentation in the
certs/README file. I took the generated server.csr and got it signed by
Thawte (just a 20 day trial cert for now). They provided my certificate
and I replaced the contents of server.crt with it. Now when I start up
FreeRadius in debug, I get:
rlm_eap: SSL error error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
rlm_eap_tls: Error reading private key file
/usr/local/freeradius/etc/raddb/certs/server.key
rlm_eap: Failed to initialize type tls
/usr/local/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for
module "eap"
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to
find module "eap".
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors
parsing authenticate section.
}
I did update the private key password in eap.conf, to match the one I used
in the original signing request. So what did I do wrong?
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
