(RADIATOR) EAPTLS_CAPath is not working for EAP-TLS?
mikem at open.com.au
Tue Jan 29 17:17:24 CST 2008
thanks for reporting this.
There was a problem where EAPTLS_CAPath would not be set correctly if
EAPTLS_CAFile was not also defined.
This is fixed in the latest 4.0 patch set.
In the meantime, if you have:
that should work around it.
We apologise for any inconvenience.
On Wednesday 30 January 2008 04:30, Jan Tomasek wrote:
> I'm trying to configure EAP-TLS handler which will accept clients with
> certificates from multiple CAs. My handler looks this way:
> > <Handler User-Name=/^TLS\+.+ at .+/>
> > <AuthBy FILE>
> > EAPType TLS
> > EAPTLS_CAPath /etc/ssl
> > # EAPTLS_CAFile /etc/ssl/380fec8f.0
> > EAPTLS_CertificateFile /etc/ssl/certs/radius2.cesnet.cz-2007-10-22.crt.
> >pem EAPTLS_CertificateType PEM
> > EAPTLS_PrivateKeyFile /etc/ssl/private/radius2.cesnet.cz-2007-10-22.key
> >.pem EAPTLS_MaxFragmentSize 1000
> > EAPTLS_NoCheckId
> > AutoMPPEKeys
> > </AuthBy>
> > </Handler>
> When I test that, I see in log file:
> > Tue Jan 29 17:14:09 2008: DEBUG: Handling request with Handler
> > 'User-Name=/^TLS\+.+ at .+/' Tue Jan 29 17:14:09 2008: DEBUG: Deleting
> > session for TLS+semik at cesnet.cz, 220.127.116.11, 29 Tue Jan 29 17:14:09
> > 2008: DEBUG: Handling with Radius::AuthFILE: Tue Jan 29 17:14:09 2008:
> > DEBUG: Handling with EAP: code 2, 4, 1308, 13 Tue Jan 29 17:14:09 2008:
> > DEBUG: Response type 13
> > Tue Jan 29 17:14:09 2008: INFO: EAP TLS certificate verification failed:
> > unable to get local issuer certificate, 24016: 1 - error:140890B2:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Tue Jan 29
> > 17:14:09 2008: DEBUG: EAP result: 3, EAP TLS Challenge Tue Jan 29
> > 17:14:09 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
> I tried to run strace on radiator:
> > ldap2:/etc/ssl# grep 380fec8f /tmp/radiusd
> > 16533 stat64("/usr/lib/ssl/certs/380fec8f.0", 0xbfa390c0) = -1 ENOENT (No
> > such file or directory)
> It seams to default to some strange location...
> Any ideas how to fix that?
> I'm running version 4.0 with patch 1.870.
> Best regards
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator