(RADIATOR) EAPTLS_CAPath is not working for EAP-TLS?

Mike McCauley mikem at open.com.au
Tue Jan 29 17:17:24 CST 2008 

Helo Jan,

thanks for reporting this.

There was a problem where EAPTLS_CAPath would not be set correctly if 
EAPTLS_CAFile was not also defined. 

This is fixed in the latest 4.0 patch set.
In the meantime, if you have:

		EAPTLS_CAFile 
		EAPTLS_CAPath           /etc/ssl

that should work around it.
We apologise for any inconvenience.

Cheers.


On Wednesday 30 January 2008 04:30, Jan Tomasek wrote:
> Hi,
>
> I'm trying to configure EAP-TLS handler which will accept clients with
>
> certificates from multiple CAs. My handler looks this way:
> > <Handler User-Name=/^TLS\+.+ at .+/>
> > 	<AuthBy FILE>
> > 		EAPType 		TLS
> > 		EAPTLS_CAPath		/etc/ssl
> > #		EAPTLS_CAFile		/etc/ssl/380fec8f.0
> >
> > 		EAPTLS_CertificateFile	/etc/ssl/certs/radius2.cesnet.cz-2007-10-22.crt.
> >pem EAPTLS_CertificateType	PEM
> > 		EAPTLS_PrivateKeyFile	/etc/ssl/private/radius2.cesnet.cz-2007-10-22.key
> >.pem EAPTLS_MaxFragmentSize	1000
> >
> > 		EAPTLS_NoCheckId
> >
> > 		AutoMPPEKeys
> > 	</AuthBy>
> > </Handler>
>
> When I test that, I see in log file:
> > Tue Jan 29 17:14:09 2008: DEBUG: Handling request with Handler
> > 'User-Name=/^TLS\+.+ at .+/' Tue Jan 29 17:14:09 2008: DEBUG:  Deleting
> > session for TLS+semik at cesnet.cz, 195.113.205.147, 29 Tue Jan 29 17:14:09
> > 2008: DEBUG: Handling with Radius::AuthFILE: Tue Jan 29 17:14:09 2008:
> > DEBUG: Handling with EAP: code 2, 4, 1308, 13 Tue Jan 29 17:14:09 2008:
> > DEBUG: Response type 13
> > Tue Jan 29 17:14:09 2008: INFO: EAP TLS certificate verification failed:
> > unable to get local issuer certificate,  24016: 1 - error:140890B2:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Tue Jan 29
> > 17:14:09 2008: DEBUG: EAP result: 3, EAP TLS Challenge Tue Jan 29
> > 17:14:09 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
>
> I tried to run strace on radiator:
> > ldap2:/etc/ssl# grep 380fec8f /tmp/radiusd
> > 16533 stat64("/usr/lib/ssl/certs/380fec8f.0", 0xbfa390c0) = -1 ENOENT (No
> > such file or directory)
>
> It seams to default to some strange location...
>
> Any ideas how to fix that?
>
> I'm running version 4.0 with patch 1.870.
>
> Best regards

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list