The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

from the FreeRADIUS documentation (raddb/mods-enabled/eap):

                #  If ca_file (below) is not used, then the
                #  certificate_file below MUST include not
                #  only the server certificate, but ALSO all
                #  of the CA certificates used to sign the
                #  server certificate.
                certificate_file = ${certdir}/server.pem

So you need to put both PEM blocks into that single file. I believe the
order IS important there; and I believe you need to put the server cert
first and the intermediate CA after.

You do not have to include the ROOT CA in RADIUS; that one is only
useful on the client side (and that's why we ask for it in CAT).

Greetings,

Stefan Winter

On 28.05.2015 16:04, Jacques ROGNIN wrote:
> OK understood Thomasz.
> Thanks for your preciuos help.
> 
> Hope that somebody else will have an idea .
> 
> Cheers
> 
> 2015-05-28 15:42 GMT+02:00 Tomasz Wolniewicz 
> <twoln AT umk.pl
> <mailto:twoln AT umk.pl>>:
> 
>     Hi Jacques,
> 
>     W dniu 2015-05-28 o 15:18, Jacques ROGNIN pisze:
>     > You are right Thomasz !
>     > A reload changes the look ::
>     >  ...... but doesn't fix my problem :-/
> 
>     The warning returned states, as you probably realise yourself, that your
>     server does not add an intermediate CAs to the EAP exchange.
>     The intermediate CAs are loaded into the CAT profile so the validation
>     is possible but this setup may be a potential problem for your users,
>     for instance for those who configure their devices manually. To make a
>     secure configuration they just need to point to the Symantec root CA and
>     input the names of your servers, however when they connect to your
>     server it will not be possible to verify its certificate since the
>     certification chain will not be complete.
> 
>     Since you have all intermediates in CAT profiles, installations done
>     with CAT installers should work properly as they install the
>     intermediate CAs, but looking form the point of view of RADIUS setup,
>     the current configuration at least requires a warning.
> 
>     From the CAT side all is fine, the problem you are left with is how to
>     push the CAs into the FreeRADIUS configuration, therefore you should
>     look up help from FreeRADIUS experts. Many of them are also on this list
>     so perhaps someone will suggest a solution.
> 
>     Cheers
>     Tomasz
> 
> 
>     --
>     Tomasz Wolniewicz
>               
> twoln AT umk.pl
>  
> <mailto:twoln AT umk.pl>
>        
>     http://www.home.umk.pl/~twoln
> 
>     Uczelniane Centrum Informatyczne   Information&Communication
>     Technology Centre
>     Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
>     pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
>     tel: +48-56-611-2750 <tel:%2B48-56-611-2750>     fax:
>     +48-56-622-1850 <tel:%2B48-56-622-1850>       tel kom.:
>     +48-693-032-576 <tel:%2B48-693-032-576>
> 
> 
> 
> 
> -- 
> Jacques ROGNIN
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature