[RADIATOR] Certificate issues with intermediate certificates.

Fri Nov 19 21:00:26 CST 2010

Hi Todd,

there were some recent postings on this topic on this list under the subject

Can't get chain certificates to work

by 
"Stephen A. Felicetti" 
David Zych
and Andrew Clark

with a solution

On Saturday 20 November 2010 06:55:02 am Smith, Todd wrote:
> In working with Radiator and Apple devices, I am have problems with the
> RADIUS server certificate being verified by the client.  In discussion with
> DigiCert, they suggest that Radiator is not correctly giving out the
> intermediate certificates to the client.  I am able to authenticate other
> devices so I don't think that is a problem but something is keeping the
> Apple devices from correctly authenticating.
>
> The syntax that I am using in Radiator is as follows:
>
> EAPType PEAP
>             # CAChain contains 2 intermediate certificates and the root
> certificate concatenated like this Inter1->Inter2->Root EAPTLS_CAFile
> %D/certificates/DigiCert/CAChain.crt
> 		EAPTLS_CertificateFile %D/certificates/DigiCert/weiland_camc_hsi.crt
> 		EAPTLS_CertificateType PEM
>             EAPTLS_PrivateKeyFile
> %D/certificates/DigiCert/weiland_camc_hsi.key
>
> 		EAPTLS_MaxFragmentSize 1000
>
> DigiCert has suggested to test for the intermediate certificates by the
> method quoted below using OpenSSL.  When I tested it using port 1812 or 443
> all I received was the error message Connection refused:errno 29  Would you
> be able to test a certificate chain in this way?  Would you need a 802.1x
> client to handshake before the X.509 certificate would be transmitted? 
> Trace 4 shows Radiator handing out the certificate but even though the
> Apple clients have the appropriate root certificate, they can't verify the
> server certificate and there doesn't seem to be any problem with the server
> certificate since other devices don't seem to complain about it.
>
> Any suggestions as to what else I can look at?
>
> Todd Smith
>
> >Before going that direction, I think it would be valuable to determine
> > whether the server is sending any intermediate certificates at all.  The
> > current >certificate you have requires two intermediates to chain
> > properly, while the reissue I'm suggesting would require just one
> > intermediate.  But if the server is sending no intermediates, then
> > neither option would resolve the issue.
> >
> >Can you try connecting to the RADIUS server using OpenSSL to check the
> > certificate chain?  From a workstation or server with OpenSSL that can
> > access the RADIUS server (or from the RADIUS server itself), you would
> > run this command:
>
> openssl s_client  -connect weiland.camc.hsi:<radius_ssl_port>
> where <radius_ssl_port> is the ssl port number on the RADIUS server
>
> Confidentiality Note: The information contained in this message
> may be privileged and confidential. If this e-mail contains
> protected health information, you are hereby notified that any
> dissemination, distribution or copying of this communication is
> strictly prohibited,except as permitted by law. If you have
> received this communication in error, please notify the sender
> immediately by replying to this message and deleting it from your
> computer.  Thank you.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.