[RADIATOR] Certificate issues with intermediate certificates.

Smith, Todd Todd.Smith at camc.org
Fri Nov 19 14:55:02 CST 2010


In working with Radiator and Apple devices, I am have problems with the RADIUS server certificate being verified by the client.  In discussion with DigiCert, they suggest that Radiator is not correctly giving out the intermediate certificates to the client.  I am able to authenticate other devices so I don't think that is a problem but something is keeping the Apple devices from correctly authenticating.

The syntax that I am using in Radiator is as follows:

EAPType PEAP
            # CAChain contains 2 intermediate certificates and the root certificate concatenated like this Inter1->Inter2->Root
            EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt
		EAPTLS_CertificateFile %D/certificates/DigiCert/weiland_camc_hsi.crt
		EAPTLS_CertificateType PEM
            EAPTLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key
		
		EAPTLS_MaxFragmentSize 1000

DigiCert has suggested to test for the intermediate certificates by the method quoted below using OpenSSL.  When I tested it using port 1812 or 443 all I received was the error message Connection refused:errno 29  Would you be able to test a certificate chain in this way?  Would you need a 802.1x client to handshake before the X.509 certificate would be transmitted?  Trace 4 shows Radiator handing out the certificate but even though the Apple clients have the appropriate root certificate, they can't verify the server certificate and there doesn't seem to be any problem with the server certificate since other devices don't seem to complain about it.

Any suggestions as to what else I can look at?

Todd Smith



>Before going that direction, I think it would be valuable to determine whether the server is sending any intermediate certificates at all.  The current >certificate you have requires two intermediates to chain properly, while the reissue I'm suggesting would require just one intermediate.  But if the server is sending no intermediates, then neither option would resolve the issue.

>Can you try connecting to the RADIUS server using OpenSSL to check the certificate chain?  From a workstation or server with OpenSSL that can access the RADIUS server (or from the RADIUS server itself), you would run this command:

openssl s_client  -connect weiland.camc.hsi:<radius_ssl_port>
where <radius_ssl_port> is the ssl port number on the RADIUS server
		
Confidentiality Note: The information contained in this message 
may be privileged and confidential. If this e-mail contains 
protected health information, you are hereby notified that any 
dissemination, distribution or copying of this communication is 
strictly prohibited,except as permitted by law. If you have 
received this communication in error, please notify the sender 
immediately by replying to this message and deleting it from your 
computer.  Thank you.


More information about the radiator mailing list