EAP-TLS Certificate problems.

Brian vb nova5radius at gmail.com
Mon Oct 9 00:29:25 CEST 2006 

The "surgery" performed was simply to remove the repeating lines and define
the two separate errors. Certs are in files, user has permission to read
them (buried it in the users own profile directory to secure them better)
I have the XpExtentsions and its referenced in the cert creation batchfile I
have.

> -----Original Message-----
> From: freeradius-users-bounces+nova5radius=gmail.com at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nova5radius=gmail.com at lists.freeradius.org] On Behalf Of Phil
> Mayers
> Sent: Sunday, October 08, 2006 3:33 PM
> To: FreeRadius users mailing list
> Subject: Re: EAP-TLS Certificate problems.
> 
> Brian vb wrote:
> > the radius systems log. I have created 3 certificates, Root, Client,
> Server.
> > The Root and Client certificates were installed via the MMC snapin and
> > Import wizard in XP.  Any idea on what could be causing the errors? If I
> 
> On the server, the certificates are in *files* yes?
> 
>   tls: private_key_file = "C:/Docume~1/radius/rcerts/cert-srv.pem"
>   tls: certificate_file = "C:/Docume~1/radius/rcerts/cert-srv.pem"
>   tls: CA_file = "C:/Docume~1/radius/rcerts/root.pem"
>   tls: private_key_password = "SuperSecretCode"
> 
> They're there and valid?
> 
> > Sending Access-Challenge of id 50 to 10.1.1.189 port 1039
> >         EAP-Message = 0x0104000a0d8000000000
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         State = 0xd2f07585b4ad88459f3f0f28a7fa6fb2
> > Finished request 2
> > Going to the next request
> > Waking up in 6 seconds...
> > --- Walking the entire request list ---
> > Cleaning up request 0 ID 48 with timestamp 45283c27
> > Cleaning up request 1 ID 49 with timestamp 45283c27
> > Cleaning up request 2 ID 50 with timestamp 45283c27
> > Nothing to do.  Sleeping until we see a request.
> 
> This looks like the server certificate doesn't have the magic oids - the
> XP client stops halfway through. Search the archives for "magic oids"
> 
> 
> 
> 
> > Error 1 is seen if I have Validate Server Certificate check on the XP
> > Laptop.
> >
> > --Error 1--
> > Sat Oct  7 19:35:58 2006 : Error:     TLS_accept:error in SSLv3 read
> client
> > certificate A
> > ------
> 
> 
> 
> >
> >
> > Error 2 is seen if Validate is unchecked on the laptop
> >
> > --Error 2--
> > Sat Oct  7 19:34:35 2006 : Error:     TLS_accept:error in SSLv3 read
> client
> > certificate A
> > Sat Oct  7 19:34:35 2006 : Error: --> verify error:num=20:unable to get
> > local issuer certificate
> > Sat Oct  7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA
> > Sat Oct  7 19:34:35 2006 : Error:     TLS_accept:error in SSLv3 read
> client
> > certificate B
> > Sat Oct  7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a
> system
> > call (-1), TLS session fails.
> > Sat Oct  7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/<no
> > User-Password attribute>] (from client netnas port 11 cli 0014a5104864)
> > -----
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> Since you've obviously performed some kind of surgery on the debug logs
> here, it's difficult to determine precisely what the context for these
> two errors are. What is the single, full, unaltered debug output for the
> failure case you're actually trying to solve?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list