Dear all, I have a small/big issue and I cannot find a good solution for that. Scenario: iPhones with certificates from internal PKI, joining a Wi-Fi network protected by WPA2-Enterprise authenticating against a Freeradius server v. 2.1.12 (Redhat 6.3). The radius server has as well an internal PKI certificate and the authentication used is EAP-TLS. No CRL/OCSP implementation on the first stage. Everything is working fine, the mobile device is configure to accept the radius certificate and the peers can therefore mutually authenticate each other.
I then configured a Microsoft OCSP array to implement client certificate status checking on the radius server. When "override_cert_url = yes" in the OCSP section in eap.conf is configured to override the responder URL, everything is fine and radius get correct responses, [tls] --> verify return:1 [tls] --> Starting OCSP Request [ocsp] --> Responder URL = http://crl.ema.europa.eu:80/ocsp [ocsp] --> Response status: successful This Update: Apr 16 09:50:00 2013 GMT Next Update: Apr 17 22:10:00 2013 GMT [oscp] --> Cert status: good [ocsp] --> Certificate is valid! [tls] chain-depth=0, but when I try to remove this feature and use the OCSP property extracted from the client certificate, the radiusd -X output is: [tls] --> Starting OCSP Request [ocsp] --> Responder URL = http://(null):(null)(null) Error: Couldn't get OCSP response [ocsp] --> Certificate has been expired/revoked! [tls] chain-depth=0, [tls] error=0 I don't know if the problem is the client certificate or how Radius parse it. I this can help to understand, the output of: openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri > http://crl.ema.europa.eu/ocsp (which is the correct url) Any input is really appreciated. Regards, Francesco Beltramini ________________________________________________________________________ This e-mail has been scanned for all known viruses by European Medicines Agency. ________________________________________________________________________ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html