[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed

Röver, Christian christian.roever at hfk-bremen.de
Thu Mar 1 05:56:55 CST 2012


Hello Heikki,

TLS_CAFile did not change anything.
The AuthBy Radius is used for the communication with a domain controller running with nps.

I do not quite understand, where the certificates are verified and where they are presented.
ServerRadsec and AuthBy Radsec have the same configuration for the certificates. 
Where has the Toplevel-CA to be set to check the incoming certificate?
Another question is, if there is any need to set anything like TLS in the '<Client>' section?
Third question would be, if there are any eduroam (with radsec) configs available for comparing them with my config?
I might get sure with a certain config, that there are no problems with my current installation.

Regards
Christian

-----Ursprüngliche Nachricht-----
Von: Heikki Vatiainen [mailto:hvn at open.com.au] 
Gesendet: Donnerstag, 15. Dezember 2011 11:57
An: Röver, Christian
Cc: radiator at open.com.au
Betreff: Re: AW: [RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed

On 12/14/2011 05:21 PM, Röver, Christian wrote:
> The posted logfile is the full trace 4 logging and the config I posted 
> before is he complete config (I only cut the descriptions and the 
> lines that were commented out).

Ok.

> The certificates are all valid and have been verified by the toplevel-ca.
> Maybe it is useful to know, that we have our own CA.
> Our CA is the lowest in a row of three CA's. The CA-files are all 
> stored in the CAPath-folder together with our own CA's chain file.

You could try TLS_CAFile instead of TLS_CAPath. Please see below for more.

> The error message tells about problems with the verification of a 
> certificate. Is there any need to use the CA-files directly instead of 
> the CAPath?

If you use CAPath, the certificate files are accessed by CA subject name hash. In most cases this means there's a symbolic link like this:

lrwxrwxrwx 1 root root     20 2011-10-13 16:42 ddc328ff.0 ->
Thawte_Server_CA.pem

See this for how to use command c_rehash to create the links:
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html

Instead of using TLS_CAPath you can put all CA certifcates in one file and point TLS_CAFile to that file. That might be easier to maintain the symbolic links for all required certificates.

> Another question is: we use eaptls for the communication with our ldap 
> server (this works!), but we have to use TLS for radsec with the 
> toplevel server. Might there be a problem?

Sorry, I did not quite understand this. You can use SSL or TLS for LDAP connections from Radiator without worries with RadSec.

I also just noticed you use AuthBy RADIUS too. Are you proxying PEAP and TTLS inner authentication via RADIUS?

Thanks!

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list