I searched the docs and google for this error. Can it simply mean that it
doesn't like my CA cert, which was issued from a Windows 2000 cert server
- or have I failed to configure somewhere else?
I've my 3 certs successfully for EAP-TLS on Windows IAS and Cisco ACS.
radiusd does have permission to read these files of course.
Kirby
SuSE Linux 9.0
FreeRADIUS 0.9.0
openssl 0.9.7d
---freeradius debug output excerpt---
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/ssl/private/acu.pvk"
tls: certificate_file = "/etc/ssl/private/acuweb.cer"
tls: CA_file = "/etc/ssl/private/CAcert.cer"
tls: private_key_password = "atheros"
tls: dh_file = "/etc/ssl/private/DH"
tls: random_file = "/etc/ssl/private/random"
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap_tls: Error reading Trusted root CA list <-----
rlm_eap: Failed to initialize the type tls
radiusd.conf[596]: eap: Module instantiation failed.
---end freeradius debug output---
---radiusd.conf excerpt---
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = atheros
private_key_file = /etc/ssl/private/acu.pvk
# If Private key & Certificate are located in the
# same file, then private_key_file & certificate_file
# must contain the same file name.
certificate_file = /etc/ssl/private/acuweb.cer
# Trusted Root CA list
CA_file = /etc/ssl/private/CAcert.cer
dh_file = /etc/ssl/private/DH
random_file = /etc/ssl/private/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be <= 1024.
#
fragment_size = 1024
# include_length is a flag which is by default set to yes
# If set to yes, Total Length of the message is included
# in EVERY packet we send.
# If set to no, Total Length of the message is included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
---end radiusd.conf excerpt---
--
[EMAIL PROTECTED]
--
http://www.fastmail.fm - Consolidate POP email and Hotmail in one place
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
