I think you should install the openssl-delvel package for tls header and lib, if you can not run radiuxd -X also before replacing the the certs.and then build freeradius again. On Sun, 31 Jan 2010, Alan Buxey wrote: > Hi, > >> to these servers" client field, just enter the 'common name' entered on >> the certificate? I wonder if a wildcard cert would work for this. As in >> *.myorg.ca, then entering *.myorg.ca for client servers field. Just asking >> because I have one of those. > > depends on supplicant - some understand wildcards...some just need the > domain name to be specified > >> In the README file there is this warning: >> >> "You will have to ensure that the certificate contains the XP >> extensions needed by Microsoft clients." >> >> But I can't find any further information about it. How do I ensure my >> certificate has these extensions? Would a CA signed cert have this? > > check the FreeRADIUS certificate makefile - you can see the xpextensions > file and the required attributes. you can use the openssl tool to view > the certificate in text mode - whethr the CA will sign it - you > may have to request this functionality > I generated a server certificate using the provided documentation in the certs/README file. I took the generated server.csr and got it signed by Thawte (just a 20 day trial cert for now). They provided my certificate and I replaced the contents of server.crt with it. Now when I start up FreeRadius in debug, I get: rlm_eap: SSL error error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch rlm_eap_tls: Error reading private key file /usr/local/freeradius/etc/raddb/certs/server.key rlm_eap: Failed to initialize type tls /usr/local/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } I did update the private key password in eap.conf, to match the one I used in the original signing request. So what did I do wrong? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html