
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

trying to use EAPTLS_CertificateChainFile does not work - we are running 4.16 - these errors appear when a user attempts to connect:</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Wed Jun  2 13:32:22 2021: ERR: TLS could not load_verify_locations , :  16422: 1 - error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library

<div> 16422: 2 - error:25070067:DSO support routines:DSO_load:could not load the shared library</div>

<div> 16422: 3 - error:260B6084:engine routines:DYNAMIC_LOAD:dso not found</div>

 16422: 4 - error:2606A074:engine routines:ENGINE_by_id:no such engine<br>

</div>

<div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div>

<div></div>

<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<div id="appendonsend"></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Heikki Vatiainen <hvn@open.com.au><br>

<b>Sent:</b> Wednesday, June 2, 2021 11:26 AM<br>

<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>

<b>Subject:</b> Re: [RADIATOR] Certificate Not Trusted - InCommon?</font>

<div> </div>

</div>

<div class="BodyFragment"><font size="2"><span style="font-size:11pt">

<div class="PlainText">On 2.6.2021 18.42, Ullfig, Roberto Alfredo wrote:<br>

<br>

> Also this document:<br>

> <br>

> <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap&amp;data=04%7C01%7Crullfig%40uic.edu%7Cc2d346b461cb402e370708d925e34d4d%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582480450282431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=y3hMSGoZ5IMy8bpKzVXFT7QTof15NWUQLhqf8UWGyAg%3D&amp;reserved=0">

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap&amp;data=04%7C01%7Crullfig%40uic.edu%7Cc2d346b461cb402e370708d925e34d4d%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582480450282431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=y3hMSGoZ5IMy8bpKzVXFT7QTof15NWUQLhqf8UWGyAg%3D&amp;reserved=0</a>

<br>

> <br>

> "For wireless clients, the Subject Alternative Name (SubjectAltName) <br>

> extension contains the server's fully qualified domain name (FQDN)."<br>

> <br>

> What is this referring to? Does the SAN for our cert need to match <br>

> anything, like the server radiator is running on, etc....<br>

<br>

When profiles are provisioned AD policies or other tools, they set the <br>

WLAN name, expected CA certificates and the expected name in the RADIUS <br>

server's certificate (and possible other information). It seems the name <br>

in a profile is expected to be in SAN when TLS based EAP authentication <br>

is done.<br>

<br>

With HTTPS the browser knows from the URL the expected name of the web <br>

server and the certificate name validation is based on that. With, for <br>

example PEAP, the name is part of the profile settings, or manual <br>

configuration. The client knows from its configuration settings this <br>

configuration and that's what the SAN of your cert needs to match.<br>

<br>

There's no need for the SAN to match the name of the server Radiator <br>

runs on. If you have multiple Radius servers for redundancy purposes, <br>

the can use the same certificate or different certificates. In the <br>

latter case, the profile or other configuration must know about the both <br>

names or otherwise the client devices will start prompting about uknown <br>

or untrusted certificate.<br>

<br>

Getting back to Trust-On-First-Use (TOFU), if you have a profile, then <br>

there should be no TOFU triggered prompts because the trust settings are <br>

already defined.<br>

<br>

Thanks,<br>

Heikki<br>

<br>

<br>

-- <br>

Heikki Vatiainen <hvn@open.com.au><br>

<br>

Radiator: the most portable, flexible and configurable RADIUS server<br>

anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,<br>

EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,<br>

DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.<br>

_______________________________________________<br>

radiator mailing list<br>

radiator@lists.open.com.au<br>

<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&amp;data=04%7C01%7Crullfig%40uic.edu%7Cc2d346b461cb402e370708d925e34d4d%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582480450282431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=mdsfwcsBuNipMTJ4thg1CY4xmbwm6j%2FFKPnxMOoZ8ow%3D&amp;reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&amp;data=04%7C01%7Crullfig%40uic.edu%7Cc2d346b461cb402e370708d925e34d4d%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582480450282431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=mdsfwcsBuNipMTJ4thg1CY4xmbwm6j%2FFKPnxMOoZ8ow%3D&amp;reserved=0</a><br>

</div>

</span></font></div>

</body>

</html>