Good afternoon John,
Thank you for all of your assistance with this issue. As it turns out strace was the way to figure out what was happening.
When I ran strace with radiusd -X, I found the following line when it got to the point where it actually went searching for the CA cert.
write(1, "# Executing group from file /usr"..., 71) = 71
write(1, "+- entering group authenticate {"..., 37) = 37
write(1, "[eap] Request found, released fr"..., 44) = 44
write(1, "[eap] EAP/tls\n", 14) = 14
write(1, "[eap] processing type tls\n", 26) = 26
write(1, "[tls] Authenticate\n", 19) = 19
write(1, "[tls] processing EAP-TLS\n", 25) = 25
write(1, "[tls] eaptls_verify returned 7 \n", 32) = 32
write(1, "[tls] Done initial handshake\n", 29) = 29
write(1, "[tls] <<< TLS 1.0 Handshake [len"..., 57) = 57
stat("/usr/local/etc/raddb/certs/roots/certs.pem/c092a530.0", 0x7fffdac3eb20) = -1 ENOENT (No such file or directory)
write(1, "--> verify error:num=20:unable t"..., 64) = 64
write(1, "[tls] >>> TLS 1.0 Alert [length "..., 58) = 58
write(1, "TLS Alert write:fatal:unknown CA"..., 33) = 33
write(1, " TLS_accept: error in SSLv3 r"..., 57) = 57
write(1, "rlm_eap: SSL error error:140890B"..., 99) = 99
write(1, "SSL: SSL_read failed in a system"..., 63) = 63
write(1, "TLS receive handshake failed dur"..., 46) = 46
write(1, "[tls] eaptls_process returned 4 "..., 33) = 33
write(1, "[eap] Handler failed in EAP/tls\n", 32) = 32
write(1, "[eap] Failed in EAP select\n", 27) = 27
When I went back and looked at the CA_path line in my eap.conf, I found that I had misconfigured it in the first place to include the bundle name which obviously is very wrong, but that was me trying different things to make it work. What I also recognized right away was the hash value of the .0 file from when I found how to have openSSL accept the cert when doing -verify on it. As soon as I seen the hash value that it was looking for, I created the symbolic link to the certificate in my roots folder and tried again with great success. My FR server now authenticates user certificates from both my production server, aka new root, as well as its own user certs.
Again, thank you for all your assistance in getting this to work. Hopefully when the real migration time comes down the line, implementation will go quickly and smoothly.
Regards,
Mitch
Mitch Yackobeck, MCSE, MCSA, MCP, CCNA, CompTia Network+
Network Systems Administrator
Renfrew County District School Board
1270 Pembroke Street West
Pembroke, ON K8A 4G4
Phone: (613) 735-0151 Ext. 2278
e-mail: yackobe...@renfrew.edu.on.ca
|
<<inline: 5152013_32632_0.jpg>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html