On 30/04/12 13:18, jinx_20 wrote:
But I sill cannot understand why FR allowed to connect when I had removed
Sub2_CA certificate from cert store.
Just to emphasise, unless I'm mistaken it is OpenSSL that was validating
or rejecting the cert. The FreeRADIUS "verify" callback doesn't override
t
ks fine.
But I sill cannot understand why FR allowed to connect when I had removed
Sub2_CA certificate from cert store.
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675822.html
Sent
On 04/30/2012 07:29 AM, jinx_20 wrote:
Phil, can you look at the certs I provided?
They look ok to me. There's no obvious reason they shouldn't verify, and
quick tests as the CLI all passed. Are you sure these are functionally
*identical* to the real ones you're using?
I've checked over th
Phil, can you look at the certs I provided?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675205.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info
==
-END CERTIFICATE-
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5669595.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe
On 25/04/12 12:42, jinx_20 wrote:
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on
Feb 2 2012 at 15:38:19
OpenSSL 0.9.8o 01 Jun 2010
I wouldn't like to share our private production certificates but if you
really need it to help us I will set up a mirror testing PKI
u all required certificates.
Regards,
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664601.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subs
2012/4/25 jinx_20
> Ok, to be sure that we understand each other...
>
> My Sub2_CA_entire_chain.pem looks like this:
>
> -BEGIN CERTIFICATE-
> XX
> -END CERTIFICATE-
> -BEGIN CERTIFICATE-
> Y
> -END CERTIFICATE-
>
On 25/04/12 10:39, jinx_20 wrote:
Is there any way to configure FreeRadius server to explicitly accept
intermediate CAs received from the client supplicant?
No, it should not be needed and should work; but there might be a logic
error in the various SSL verify options or callbacks; OpenSSL is
correct?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664500.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http
>
>
> Gabriel
>
> --
> View this message in context:
> http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664397.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List in
As I mentioned before CA_file in the eap.conf is set to
${cadir}/Sub2_CA_*entire_chain*.pem
Is there any difference between concatenated CA file and certificate chain?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain
>
> As soon as I delete Sub2 CA (that is, the CA certificate of the certificate
> authority which issued client's certificate) I am able to connect
> successfully.
>
Does FR know this Sub2 CA? i.e: is CA certificate chain file referenced in
eap.conf?
If not, try to concatenate certificate authorit
urns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 194 to 172.16.16.1 port 32770
MS-MPPE-Recv-Key = 0xFF
MS-MPPE-Send-Key = 0xFF
EAP-Message = 0xFF
Message-Authenticator = 0xFF
User-Name = "2762_hd.test6"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664334.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
14 matches
Mail list logo