[RADIATOR] Certificate issues with intermediate certificates.

Smith, Todd Todd.Smith at camc.org
Mon Nov 22 16:04:22 CST 2010 

Hello Christian,

Thank you for your very helpful response!  I was able to download and compile eapol_test from the wpa_supplicant source and it seems to show the intermediate certificate chain is being transmitted correctly.  It is hard to know exactly since most the  output is hex dumps, but I see DigiCert logos in the output so I believe that it working correctly.

I am able to successfully authenticate many clients of different OS but the Apple devices seem to be giving me the most problem.  I flashed a 2nd Gen iPod Touch today using the latest iOS 4.2.1 but it didn't change the underlying issue.  The Radiator server certificate is consistently showing up on the Apple device as Not Verified even though the correct Root Certificate is on the device.

I had to change to using EAPTLS_CertificateChainFile and ran into the issue with EAPTLS_PrivateKeyFile as others have recently and it was quickly solved as you point out by placing the server certificate first.

I have DigiCert engaged in looking into the problem but it is very puzzling since even with the correct Root, the server still doesn't verify.

Todd Smith

-----Original Message-----
From: Christian Kratzer [mailto:ck-lists at cksoft.de] 
If you have certificate and several intermediates you should use EAPTLS_CertificateChainFile instead of EAPTLS_CertificateFile.  Also be sure to put the server certificate first and then follow up with the intermediate certicates.

A good test client for EAP/PEAP is eapol_test from the wpa_supplicant project. This will do actual radius queries with EAP/PEAP ans MSCAP or whatever.  You will have to manually compile eapol_test from the wpa_supplicant sources though.

A quick google for eapol_test brings up following: http://deployingradius.com/scripts/eapol_test/


Confidentiality Note: The information contained in this message 
may be privileged and confidential. If this e-mail contains 
protected health information, you are hereby notified that any 
dissemination, distribution or copying of this communication is 
strictly prohibited,except as permitted by law. If you have 
received this communication in error, please notify the sender 
immediately by replying to this message and deleting it from your 
computer.  Thank you.

More information about the radiator mailing list