> My freeradius version is 2.1.1. When I config eap-tls with crl and one > level root certificate,it's work normally. But when the ca is two level, > the > root ca is for signing the second level CA certificate , and the second > level CA is for signing user certificates and crls.It's mean the root ca > certificate is self-signed,but the second level ca certificate is not .How > can I config ? I got the error message below: > [tls] eaptls_verify returned 11 > [tls] <<< TLS 1.0 Handshake [length 0477], Certificate > --> verify error:num=3:unable to get certificate CRL > [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca > TLS Alert write:fatal:unknown CA > TLS_accept:error in SSLv3 read client certificate B > rlm_eap: SSL error error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
This means that you haven't imported the bundle onto the client. > # Trusted Root CA list > # > # ALL of the CA's in this list will be trusted > # to issue client certificates for authentication. > # > # In general, you should use self-signed > # certificates for 802.1x (EAP) authentication. > # In that case, this CA file should contain > # *one* CA certificate. > # > # This parameter is used only for EAP-TLS, > # when you issue client certificates. If you do > # not use client certificates, and you do not want > # to permit EAP-TLS authentication, then delete > # this configuration item. > CA_file = ${cadir}/ca.pem ca.pem should also contain a certificate bundle. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html