Hello Heikki, TLS_CAFile did not change anything. The AuthBy Radius is used for the communication with a domain controller running with nps.
I do not quite understand, where the certificates are verified and where they are presented. ServerRadsec and AuthBy Radsec have the same configuration for the certificates. Where has the Toplevel-CA to be set to check the incoming certificate? Another question is, if there is any need to set anything like TLS in the '<Client>' section? Third question would be, if there are any eduroam (with radsec) configs available for comparing them with my config? I might get sure with a certain config, that there are no problems with my current installation. Regards Christian -----Ursprüngliche Nachricht----- Von: Heikki Vatiainen [mailto:h...@open.com.au] Gesendet: Donnerstag, 15. Dezember 2011 11:57 An: Röver, Christian Cc: radiator@open.com.au Betreff: Re: AW: [RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed On 12/14/2011 05:21 PM, Röver, Christian wrote: > The posted logfile is the full trace 4 logging and the config I posted > before is he complete config (I only cut the descriptions and the > lines that were commented out). Ok. > The certificates are all valid and have been verified by the toplevel-ca. > Maybe it is useful to know, that we have our own CA. > Our CA is the lowest in a row of three CA's. The CA-files are all > stored in the CAPath-folder together with our own CA's chain file. You could try TLS_CAFile instead of TLS_CAPath. Please see below for more. > The error message tells about problems with the verification of a > certificate. Is there any need to use the CA-files directly instead of > the CAPath? If you use CAPath, the certificate files are accessed by CA subject name hash. In most cases this means there's a symbolic link like this: lrwxrwxrwx 1 root root 20 2011-10-13 16:42 ddc328ff.0 -> Thawte_Server_CA.pem See this for how to use command c_rehash to create the links: http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html Instead of using TLS_CAPath you can put all CA certifcates in one file and point TLS_CAFile to that file. That might be easier to maintain the symbolic links for all required certificates. > Another question is: we use eaptls for the communication with our ldap > server (this works!), but we have to use TLS for radsec with the > toplevel server. Might there be a problem? Sorry, I did not quite understand this. You can use SSL or TLS for LDAP connections from Radiator without worries with RadSec. I also just noticed you use AuthBy RADIUS too. Are you proxying PEAP and TTLS inner authentication via RADIUS? Thanks! -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
