(RADIATOR) TTLS with intermediate certificates?

Mike McCauley mikem at open.com.au
Thu Mar 17 04:29:01 CST 2005 

Hello Jon,

EAPTLS_CAFile can contain one or more certificates, so you could combine the 
several root certificates in the certificate chain into one certificate file.

Alternatively, you can use EAPTLS_CAPath to specify a directory that contains 
all the root certificates required to verify the chain. In this case, each 
certificates needs to be in a filenames based on the subject name hash. See 
the Reference manual for more details on how to do this.

Cheers.


On Thursday 17 March 2005 05:59, Jon Moore wrote:
> We are using EAP-TTLS with Radiator, and when we went to renew our
> server SSL certificates, our CA (Thawte) told us they were changing the
> way they were generating certificates.
>
> It used to be that we had a server cert signed by the Thawte Server CA
> (self-signed). Now the server cert is signed by the Thawte SGC CA,
> which is itself signed by the Verisign Class 3 Public Primary CA
> (whew). The Thawte SGC CA is not one of the trusted root CAs, but the
> Verisign is.
>
> So it seems like I need to set my EAPTLS_CertificateFile to point to
> the new server cert. Do I point my EAPTLS_CAFile to a file containing
> the intermediate cert (Thawte SGC CA) or the root cert (the Verisign
> one)? If I'm doing TTLS, does the EAPTLS_CAFile even get used (since
> I'm not validating client certificates)?
>
> Or does EAPTLS_CertificateFile need to point to a file containing both
> the server cert and the intermediate cert?
>
> Our Windows 802.1x supplicants (Alfa & Ariss SecureW2 and Meetinghouse
> Aegis) seem to be getting hung up with validating the cert chain,
> although they both profess to support intermediate certificates, so I'm
> thinking we are not serving them up correctly from Radiator.
>
> Confused,
> Jon
> --
> Jon Moore
> ISC Networking & Telecommunications
> University of Pennsylvania

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list