What kind of error in client-cert using EAP?

Alexandros Gougousoudis gougousoudis at kh-berlin.de
Mon Sep 18 13:52:25 CEST 2006 

Hi,

I have trouble with one XP-SP2 client, using a certificate to make 
802.1x Auth over EAP-TLS. The cert is a machine cert. On the serverside 
I get this (using -X -A) in authenticate:

modcall: entering group authenticate for request 33
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
     (other): before/accept initialization
     TLS_accept: before/accept initialization
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
     TLS_accept: SSLv3 read client hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
     TLS_accept: SSLv3 write server hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ef8], Certificate
     TLS_accept: SSLv3 write certificate A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest
     TLS_accept: SSLv3 write certificate request A
     TLS_accept: SSLv3 flush data
     TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 33
modcall: leaving group authenticate (returns handled) for request 33
Sending Access-Challenge of id 0 to 10.48.244.21 port 49154
         EAP-Message = 0x0125040a0dc00000100e1[...]

Which indicates that there is a problem in the client-cert. Can it be 
more detailed? I exported the cert and the key now 4 times in different 
manners (as p12, as der) and the errors is still there. Extended 
attribute is also included. The funny thing is, that I already have 5 XP 
machines running in my network, doing an EAP-TLS auth over the switch.

It means also that in my authorize section (Auth-Type := EAP) I can get 
a Access-Accept Message. On the server I get the Access-Requests, create 
a Access-Challenge and thats all. Theres nothing coming back from the 
client.


Please help
  Alex


-- 
ServiceCenter IT - Alexandros Gougousoudis (Leiter)

Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule 
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst 
Busch".

Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445

More information about the Freeradius-Users mailing list