I believe you need to install the server cert and any intermediate certs on the 
client before the validate server cert option will work.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org] On 
Behalf Of Petar Marinkovic
Sent: Tuesday, August 09, 2011 11:16 AM
To: freeradius-users@lists.freeradius.org
Subject: Validate server certificate problem

I've set up latest version of FreeRadius from source on Ubuntu, and I cannot 
get EAP-TLS and PEAP to work when the option "Validate server certificate" is 
on. We're using Windows CA to be able to auth users on the domain. I saw this 
old article 
http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html
 on how to generate server certificate, but that fails for me in both ways
1st fails because of a missing template on Windows CA - how to create the 
template to match what freeradius needs?
2nd fails with the following error CA certificate and CA private key do not 
match
2634:error:0B080074:x509 certificate routines:X509_check_private_key:key values 
mismatch:x509_cmp.c:406:
That's strange, cause CA cert and CA private key are in the same file (as noted 
in the text) and I didn't mistake the password (since I followed the message 
blindly, with the same password).

When I untick the "Validate server certificate" in Windows clients (XP, Windows 
7) I'm able to connect with both EAP-TLS and PEAP

Any help is appreciated, thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to