Re: freeRADIUS cert chain authentication
pMohammed Petiwala <[EMAIL PROTECTED]> wrote: > If someone can get this working (n-tier cert chain authentication - > can it be added as a patch to freeRADIUS) or be made as part of the > release 1.0.0 (if done in the release time-frame) I doubt that it will be in 1.0.0, there just isn't enough time. As for including the patch sometime, sure. Just send in a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS cert chain authentication
Hi Alan: If someone can get this working (n-tier cert chain authentication - can it be added as a patch to freeRADIUS) or be made as part of the release 1.0.0 (if done in the release time-frame) Thanks. Regards, Mohammed. Alan DeKok <[EMAIL PROTECTED]> wrote: Mohammed Petiwala <[EMAIL PROTECTED]>wrote:> any help in this regards would be appreciated - has anyone using> freeRADIUS used cert chains with length more than 2 I don't think so. SSL is complicated, and it's difficult tounderstand or debug it.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: freeRADIUS cert chain authentication
Mohammed Petiwala <[EMAIL PROTECTED]> wrote: > any help in this regards would be appreciated - has anyone using > freeRADIUS used cert chains with length more than 2 I don't think so. SSL is complicated, and it's difficult to understand or debug it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS cert chain authentication
Hi: I am using freeRADIUS (0.9.3 on linux with openssl ) for EAP-TLS authentication using our in-house supplicant, we are currently using 3-tier cert chains and have been using it quite successfully for TLS authentication with OpenSSL but when we try to use these same 3-tier certs for EAP-TLS radius authentication, the freeRADIUS server is unable to send the complete cert chain as part of the server certificate instead only sends the server/aaa cert (which works fine if the certificate chain length is = 2) but anything with a cert chain of 2 will not work. I investigated this issue further with the rlm_eap_tls module and noticed that internally freeRADIUS uses the openSSL int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);call and i replaced it with: int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);then i created the cert server/aaa chain in pem format by catting the aaa cert, sub-ca cert and server root cert as per openssl documentation (we've been using this in our application with openssl api and it works just fine) but then when i rebuild freeradius and try to start it up it gives me this error during init startup: 8448:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATErlm_eap_tls: Error reading certificate filerlm_eap: Failed to initialize the type tls any help in this regards would be appreciated - has anyone using freeRADIUS used cert chains with length more than 2 (this same scenario works fine with a Cisco ACS AAA) thanks. Regards, Mohammed. Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish.