[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed

Heikki Vatiainen hvn at open.com.au
Fri Mar 2 02:55:08 CST 2012 

On 03/01/2012 01:56 PM, Röver, Christian wrote:

> TLS_CAFile did not change anything.
> The AuthBy Radius is used for the communication with a domain controller running with nps.
> 
> I do not quite understand, where the certificates are verified and where they are presented.
> ServerRadsec and AuthBy Radsec have the same configuration for the certificates. 
> Where has the Toplevel-CA to be set to check the incoming certificate?

Please see goodies/radsec-client.cfg and goodies/radsec-server.cfg

Reviewing these files should show how the client and server certificates
are set. They both use the same top level CA. This CA has signed both
client and server certificates.

If you start two radiusd instances, one with client and other with
server config, these can be used for RadSec experimentation.


> Another question is, if there is any need to set anything like TLS in the '<Client>' section?

No. Instead of Client there is ServerRADSEC.

> Third question would be, if there are any eduroam (with radsec) configs available for comparing them with my config?
> I might get sure with a certain config, that there are no problems with my current installation.

This might be useful, but RadSec support in the docs seems to have
focused on federation level servers currently. However, I do know from
experience that the RadSec configuration should have nothing very special.

http://www.eduroam.org/index.php?p=europe&s=docs

This document talks about federation level servers, but has an example
with TLS_PolicyOID which is needed with certificates eduroam uses.

https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+at+national+level#Howtodeployeduroamatnationallevel-Sampleconfigfile

You may want to talk to your local NREN about the certificates and
required configuration.

Thanks!
Heikki


> Regards
> Christian
> 
> -----Ursprüngliche Nachricht-----
> Von: Heikki Vatiainen [mailto:hvn at open.com.au] 
> Gesendet: Donnerstag, 15. Dezember 2011 11:57
> An: Röver, Christian
> Cc: radiator at open.com.au
> Betreff: Re: AW: [RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed
> 
> On 12/14/2011 05:21 PM, Röver, Christian wrote:
>> The posted logfile is the full trace 4 logging and the config I posted 
>> before is he complete config (I only cut the descriptions and the 
>> lines that were commented out).
> 
> Ok.
> 
>> The certificates are all valid and have been verified by the toplevel-ca.
>> Maybe it is useful to know, that we have our own CA.
>> Our CA is the lowest in a row of three CA's. The CA-files are all 
>> stored in the CAPath-folder together with our own CA's chain file.
> 
> You could try TLS_CAFile instead of TLS_CAPath. Please see below for more.
> 
>> The error message tells about problems with the verification of a 
>> certificate. Is there any need to use the CA-files directly instead of 
>> the CAPath?
> 
> If you use CAPath, the certificate files are accessed by CA subject name hash. In most cases this means there's a symbolic link like this:
> 
> lrwxrwxrwx 1 root root     20 2011-10-13 16:42 ddc328ff.0 ->
> Thawte_Server_CA.pem
> 
> See this for how to use command c_rehash to create the links:
> http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
> 
> Instead of using TLS_CAPath you can put all CA certifcates in one file and point TLS_CAFile to that file. That might be easier to maintain the symbolic links for all required certificates.
> 
>> Another question is: we use eaptls for the communication with our ldap 
>> server (this works!), but we have to use TLS for radsec with the 
>> toplevel server. Might there be a problem?
> 
> Sorry, I did not quite understand this. You can use SSL or TLS for LDAP connections from Radiator without worries with RadSec.
> 
> I also just noticed you use AuthBy RADIUS too. Are you proxying PEAP and TTLS inner authentication via RADIUS?
> 
> Thanks!
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list