Hi, On Fri, 19 Nov 2010, Smith, Todd wrote:
> In working with Radiator and Apple devices, I am have problems with the > RADIUS server certificate being verified by the client. In discussion with > DigiCert, they suggest that Radiator is not correctly giving out the > intermediate certificates to the client. I am able to authenticate other > devices so I don't think that is a problem but something is keeping the Apple > devices from correctly authenticating. > > The syntax that I am using in Radiator is as follows: > > EAPType PEAP > # CAChain contains 2 intermediate certificates and the root > certificate concatenated like this Inter1->Inter2->Root > EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt > EAPTLS_CertificateFile > %D/certificates/DigiCert/weiland_camc_hsi.crt > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key > > EAPTLS_MaxFragmentSize 1000 > > DigiCert has suggested to test for the intermediate certificates by the > method quoted below using OpenSSL. When I tested it using port 1812 or 443 > all I received was the error message Connection refused:errno 29 Would you > be able to test a certificate chain in this way? Would you need a 802.1x > client to handshake before the X.509 certificate would be transmitted? Trace > 4 shows Radiator handing out the certificate but even though the Apple > clients have the appropriate root certificate, they can't verify the server > certificate and there doesn't seem to be any problem with the server > certificate since other devices don't seem to complain about it. > > Any suggestions as to what else I can look at? a couple of short points: If you used openssl s_client to test be aware that this s_client uses tcp for a TLS/SSL connection. Radius runs on udp and is a totally different protcol. This cannot work and connection refused is what you will get in such a case. If you have certificate and several intermediates you should use EAPTLS_CertificateChainFile instead of EAPTLS_CertificateFile. Also be sure to put the server certificate first and then follow up with the intermediate certicates. A good test client for EAP/PEAP is eapol_test from the wpa_supplicant project. This will do actual radius queries with EAP/PEAP ans MSCAP or whatever. You will have to manually compile eapol_test from the wpa_supplicant sources though. A quick google for eapol_test brings up following: http://deployingradius.com/scripts/eapol_test/ Greetings Christian -- Christian Kratzer CK Software GmbH Email: [email protected] Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
