I searched the docs and google for this error. Can it simply mean that it doesn't like my CA cert, which was issued from a Windows 2000 cert server - or have I failed to configure somewhere else?
I've my 3 certs successfully for EAP-TLS on Windows IAS and Cisco ACS. radiusd does have permission to read these files of course. Kirby SuSE Linux 9.0 FreeRADIUS 0.9.0 openssl 0.9.7d ---freeradius debug output excerpt--- Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/ssl/private/acu.pvk" tls: certificate_file = "/etc/ssl/private/acuweb.cer" tls: CA_file = "/etc/ssl/private/CAcert.cer" tls: private_key_password = "atheros" tls: dh_file = "/etc/ssl/private/DH" tls: random_file = "/etc/ssl/private/random" tls: fragment_size = 1024 tls: include_length = yes rlm_eap_tls: Error reading Trusted root CA list <----- rlm_eap: Failed to initialize the type tls radiusd.conf[596]: eap: Module instantiation failed. ---end freeradius debug output--- ---radiusd.conf excerpt--- ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = atheros private_key_file = /etc/ssl/private/acu.pvk # If Private key & Certificate are located in the # same file, then private_key_file & certificate_file # must contain the same file name. certificate_file = /etc/ssl/private/acuweb.cer # Trusted Root CA list CA_file = /etc/ssl/private/CAcert.cer dh_file = /etc/ssl/private/DH random_file = /etc/ssl/private/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be <= 1024. # fragment_size = 1024 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } ---end radiusd.conf excerpt--- -- [EMAIL PROTECTED] -- http://www.fastmail.fm - Consolidate POP email and Hotmail in one place - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html