(RADIATOR) EAPTLS_CAPath is not working for EAP-TLS?

Jan Tomasek jan at tomasek.cz
Tue Jan 29 12:30:07 CST 2008 

Hi,

I'm trying to configure EAP-TLS handler which will accept clients with
certificates from multiple CAs. My handler looks this way:

> <Handler User-Name=/^TLS\+.+ at .+/>
> 	<AuthBy FILE>
> 		EAPType 		TLS
> 		EAPTLS_CAPath		/etc/ssl
> #		EAPTLS_CAFile		/etc/ssl/380fec8f.0
> 
> 		EAPTLS_CertificateFile	/etc/ssl/certs/radius2.cesnet.cz-2007-10-22.crt.pem
> 		EAPTLS_CertificateType	PEM
> 		EAPTLS_PrivateKeyFile	/etc/ssl/private/radius2.cesnet.cz-2007-10-22.key.pem
> 		EAPTLS_MaxFragmentSize	1000
> 
> 		EAPTLS_NoCheckId
> 
> 		AutoMPPEKeys
> 	</AuthBy>
> </Handler>

When I test that, I see in log file:

> Tue Jan 29 17:14:09 2008: DEBUG: Handling request with Handler 'User-Name=/^TLS\+.+ at .+/'
> Tue Jan 29 17:14:09 2008: DEBUG:  Deleting session for TLS+semik at cesnet.cz, 195.113.205.147, 29
> Tue Jan 29 17:14:09 2008: DEBUG: Handling with Radius::AuthFILE: 
> Tue Jan 29 17:14:09 2008: DEBUG: Handling with EAP: code 2, 4, 1308, 13
> Tue Jan 29 17:14:09 2008: DEBUG: Response type 13
> Tue Jan 29 17:14:09 2008: INFO: EAP TLS certificate verification failed: unable to get local issuer certificate,  24016: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Tue Jan 29 17:14:09 2008: DEBUG: EAP result: 3, EAP TLS Challenge
> Tue Jan 29 17:14:09 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge

I tried to run strace on radiator:

> ldap2:/etc/ssl# grep 380fec8f /tmp/radiusd 
> 16533 stat64("/usr/lib/ssl/certs/380fec8f.0", 0xbfa390c0) = -1 ENOENT (No such file or directory)

It seams to default to some strange location...

Any ideas how to fix that?

I'm running version 4.0 with patch 1.870.

Best regards
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080129/af991b40/attachment.bin>

More information about the radiator mailing list