EAP-TLS Certificate problems.

Phil Mayers p.mayers at imperial.ac.uk
Sun Oct 8 21:33:18 CEST 2006 

Brian vb wrote:
> the radius systems log. I have created 3 certificates, Root, Client, Server.
> The Root and Client certificates were installed via the MMC snapin and
> Import wizard in XP.  Any idea on what could be causing the errors? If I

On the server, the certificates are in *files* yes?

  tls: private_key_file = "C:/Docume~1/radius/rcerts/cert-srv.pem"
  tls: certificate_file = "C:/Docume~1/radius/rcerts/cert-srv.pem"
  tls: CA_file = "C:/Docume~1/radius/rcerts/root.pem"
  tls: private_key_password = "SuperSecretCode"

They're there and valid?

> Sending Access-Challenge of id 50 to 10.1.1.189 port 1039
>         EAP-Message = 0x0104000a0d8000000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xd2f07585b4ad88459f3f0f28a7fa6fb2
> Finished request 2
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 48 with timestamp 45283c27
> Cleaning up request 1 ID 49 with timestamp 45283c27
> Cleaning up request 2 ID 50 with timestamp 45283c27
> Nothing to do.  Sleeping until we see a request.

This looks like the server certificate doesn't have the magic oids - the 
XP client stops halfway through. Search the archives for "magic oids"




> Error 1 is seen if I have Validate Server Certificate check on the XP
> Laptop.
> 
> --Error 1--
> Sat Oct  7 19:35:58 2006 : Error:     TLS_accept:error in SSLv3 read client
> certificate A
> ------



> 
> 
> Error 2 is seen if Validate is unchecked on the laptop
> 
> --Error 2--
> Sat Oct  7 19:34:35 2006 : Error:     TLS_accept:error in SSLv3 read client
> certificate A 
> Sat Oct  7 19:34:35 2006 : Error: --> verify error:num=20:unable to get
> local issuer certificate 
> Sat Oct  7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA 
> Sat Oct  7 19:34:35 2006 : Error:     TLS_accept:error in SSLv3 read client
> certificate B 
> Sat Oct  7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a system
> call (-1), TLS session fails.
> Sat Oct  7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/<no
> User-Password attribute>] (from client netnas port 11 cli 0014a5104864)
> -----
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Since you've obviously performed some kind of surgery on the debug logs 
here, it's difficult to determine precisely what the context for these 
two errors are. What is the single, full, unaltered debug output for the 
failure case you're actually trying to solve?

More information about the Freeradius-Users mailing list