eap-tls certificate in freeradius

Chanthearith HUON chanthearith.huon at telecom-sudparis.eu
Wed Aug 20 15:53:27 CEST 2008


Hello,

I am currently experimenting eap-tls for delay comparison. I am using 
wpa_supplicant radius's client and freeradius server. I am now having 
problem dealing with certificates.

I used the script provided in the freeradius package to create those 
certificates successfully however, during the authentication the 
freeradius just denied the certificate and send "eap failure, code 
Failure (4)" (showed from Wireshark) to client.

I am using fedora 8 (kernel 2.6.23.9-85.fc8) to host both freeradius and 
wpa_supplicant.
Freeradius 1.1.6 (for host i686-pc-linux-gnu, built on Jun 1 2007)
wpa_supplicant v0.5.7 (also tried with v0.5.8 but still same problem     )

I am not sure if the configurations for creating certificates are correct.
Here is the configuration scripts to create  CA, server and client 
certificates (also attached in the mail):

-------------------------- CA ------------------------------

[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= $dir
crl_dir			= $dir/crl
database		= $dir/index.txt
new_certs_dir		= $dir
certificate		= $dir/ca.pem
serial			= $dir/serial
crl			= $dir/crl.pem
private_key		= $dir/ca.key
RANDFILE		= $dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= 365
default_crl_days	= 30
default_md		= md5
preserve		= no
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= certificate_authority
default_bits		= 2048
input_password		= whatever
output_password		= whatever
x509_extensions		= v3_ca

[certificate_authority]
countryName		= FR
stateOrProvinceName	= Evry
localityName		= Evry
organizationName	= Example Inc.
emailAddress		= admin at example.com
commonName		= "Example Certificate Authority"

[v3_ca]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer:always
basicConstraints	= CA:true


-------------------------- end of CA ------------------------------



-------------------------- Client ------------------------------

[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= $dir
crl_dir			= $dir/crl
database		= $dir/index.txt
new_certs_dir		= $dir
certificate		= $dir/server.pem
serial			= $dir/serial
crl			= $dir/crl.pem
private_key		= $dir/server.key
RANDFILE		= $dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= 365
default_crl_days	= 30
default_md		= md5
preserve		= no
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= client
default_bits		= 2048
input_password		= whatever
output_password		= whatever

[client]
countryName		= FR
stateOrProvinceName	= Evry
localityName		= Evry
organizationName	= Example Inc.
emailAddress		= user at example.com
commonName		= root at localhost

-------------------------- end of Client ------------------------------



-------------------------- Server ------------------------------

[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= $dir
crl_dir			= $dir/crl
database		= $dir/index.txt
new_certs_dir		= $dir
certificate		= $dir/server.pem
serial			= $dir/serial
crl			= $dir/crl.pem
private_key		= $dir/server.key
RANDFILE		= $dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= 365
default_crl_days	= 30
default_md		= md5
preserve		= no
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= server
default_bits		= 2048
input_password		= whatever
output_password		= whatever

[server]
countryName		= FR
stateOrProvinceName	= Evry
localityName		= Evry
organizationName	= Example Inc.
emailAddress		= admin at example.com
commonName		= "Example Server Certificate"



-------------------------- end of Server ------------------------------

Best regards,
Thierry






More information about the Freeradius-Devel mailing list