[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed

Thu Mar 1 05:56:55 CST 2012

Hello Heikki,

TLS_CAFile did not change anything.
The AuthBy Radius is used for the communication with a domain controller running with nps.

I do not quite understand, where the certificates are verified and where they are presented.
ServerRadsec and AuthBy Radsec have the same configuration for the certificates. 
Where has the Toplevel-CA to be set to check the incoming certificate?
Another question is, if there is any need to set anything like TLS in the '<Client>' section?
Third question would be, if there are any eduroam (with radsec) configs available for comparing them with my config?
I might get sure with a certain config, that there are no problems with my current installation.

Regards
Christian

-----Ursprüngliche Nachricht-----
Von: Heikki Vatiainen [mailto:hvn at open.com.au] 
Gesendet: Donnerstag, 15. Dezember 2011 11:57
An: Röver, Christian
Cc: radiator at open.com.au
Betreff: Re: AW: [RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed

On 12/14/2011 05:21 PM, Röver, Christian wrote:
> The posted logfile is the full trace 4 logging and the config I posted 
> before is he complete config (I only cut the descriptions and the 
> lines that were commented out).

Ok.

> The certificates are all valid and have been verified by the toplevel-ca.
> Maybe it is useful to know, that we have our own CA.
> Our CA is the lowest in a row of three CA's. The CA-files are all 
> stored in the CAPath-folder together with our own CA's chain file.

You could try TLS_CAFile instead of TLS_CAPath. Please see below for more.

> The error message tells about problems with the verification of a 
> certificate. Is there any need to use the CA-files directly instead of 
> the CAPath?

If you use CAPath, the certificate files are accessed by CA subject name hash. In most cases this means there's a symbolic link like this:

lrwxrwxrwx 1 root root     20 2011-10-13 16:42 ddc328ff.0 ->
Thawte_Server_CA.pem

See this for how to use command c_rehash to create the links:
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html

Instead of using TLS_CAPath you can put all CA certifcates in one file and point TLS_CAFile to that file. That might be easier to maintain the symbolic links for all required certificates.

> Another question is: we use eaptls for the communication with our ldap 
> server (this works!), but we have to use TLS for radsec with the 
> toplevel server. Might there be a problem?

Sorry, I did not quite understand this. You can use SSL or TLS for LDAP connections from Radiator without worries with RadSec.

I also just noticed you use AuthBy RADIUS too. Are you proxying PEAP and TTLS inner authentication via RADIUS?

Thanks!

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.