[RADIATOR] Certificate issues with intermediate certificates.
Smith, Todd
Todd.Smith at camc.org
Fri Nov 19 14:55:02 CST 2010
In working with Radiator and Apple devices, I am have problems with the RADIUS server certificate being verified by the client. In discussion with DigiCert, they suggest that Radiator is not correctly giving out the intermediate certificates to the client. I am able to authenticate other devices so I don't think that is a problem but something is keeping the Apple devices from correctly authenticating.
The syntax that I am using in Radiator is as follows:
EAPType PEAP
# CAChain contains 2 intermediate certificates and the root certificate concatenated like this Inter1->Inter2->Root
EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt
EAPTLS_CertificateFile %D/certificates/DigiCert/weiland_camc_hsi.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key
EAPTLS_MaxFragmentSize 1000
DigiCert has suggested to test for the intermediate certificates by the method quoted below using OpenSSL. When I tested it using port 1812 or 443 all I received was the error message Connection refused:errno 29 Would you be able to test a certificate chain in this way? Would you need a 802.1x client to handshake before the X.509 certificate would be transmitted? Trace 4 shows Radiator handing out the certificate but even though the Apple clients have the appropriate root certificate, they can't verify the server certificate and there doesn't seem to be any problem with the server certificate since other devices don't seem to complain about it.
Any suggestions as to what else I can look at?
Todd Smith
>Before going that direction, I think it would be valuable to determine whether the server is sending any intermediate certificates at all. The current >certificate you have requires two intermediates to chain properly, while the reissue I'm suggesting would require just one intermediate. But if the server is sending no intermediates, then neither option would resolve the issue.
>Can you try connecting to the RADIUS server using OpenSSL to check the certificate chain? From a workstation or server with OpenSSL that can access the RADIUS server (or from the RADIUS server itself), you would run this command:
openssl s_client -connect weiland.camc.hsi:<radius_ssl_port>
where <radius_ssl_port> is the ssl port number on the RADIUS server
Confidentiality Note: The information contained in this message
may be privileged and confidential. If this e-mail contains
protected health information, you are hereby notified that any
dissemination, distribution or copying of this communication is
strictly prohibited,except as permitted by law. If you have
received this communication in error, please notify the sender
immediately by replying to this message and deleting it from your
computer. Thank you.
More information about the radiator
mailing list