[RADIATOR] Certificate issues with intermediate certificates.

Christian Kratzer ck-lists at cksoft.de
Fri Nov 19 17:39:13 CST 2010 

Hi,

On Fri, 19 Nov 2010, Smith, Todd wrote:

> In working with Radiator and Apple devices, I am have problems with the RADIUS server certificate being verified by the client.  In discussion with DigiCert, they suggest that Radiator is not correctly giving out the intermediate certificates to the client.  I am able to authenticate other devices so I don't think that is a problem but something is keeping the Apple devices from correctly authenticating.
>
> The syntax that I am using in Radiator is as follows:
>
> EAPType PEAP
>            # CAChain contains 2 intermediate certificates and the root certificate concatenated like this Inter1->Inter2->Root
>            EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt
> 		EAPTLS_CertificateFile %D/certificates/DigiCert/weiland_camc_hsi.crt
> 		EAPTLS_CertificateType PEM
>            EAPTLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key
>
> 		EAPTLS_MaxFragmentSize 1000
>
> DigiCert has suggested to test for the intermediate certificates by the method quoted below using OpenSSL.  When I tested it using port 1812 or 443 all I received was the error message Connection refused:errno 29  Would you be able to test a certificate chain in this way?  Would you need a 802.1x client to handshake before the X.509 certificate would be transmitted?  Trace 4 shows Radiator handing out the certificate but even though the Apple clients have the appropriate root certificate, they can't verify the server certificate and there doesn't seem to be any problem with the server certificate since other devices don't seem to complain about it.
>
> Any suggestions as to what else I can look at?

a couple of short points:

If you used openssl s_client to test be aware that this s_client uses tcp for a TLS/SSL connection.  Radius runs on udp and is a totally different protcol.  This cannot work and connection refused is what you will get in such a case.

If you have certificate and several intermediates you should use EAPTLS_CertificateChainFile instead of EAPTLS_CertificateFile.  Also be sure to put the server certificate first and then follow up with the intermediate certicates.

A good test client for EAP/PEAP is eapol_test from the wpa_supplicant project. This will do actual radius queries with EAP/PEAP ans MSCAP or whatever.  You will have to manually compile eapol_test from the wpa_supplicant sources though.

A quick google for eapol_test brings up following: http://deployingradius.com/scripts/eapol_test/

Greetings
Christian

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck at cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

More information about the radiator mailing list