EAP/TLS TLS_accept error

henry1412 henry1412 at 163.com
Wed Dec 10 03:07:26 CET 2008 

  
                      EAP/TLS TLS_accept error 
Hi:
 
I want to build a IEEE 802.1x authentication environoment and 
I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8, wpa_supplicant-0.4.8. The authentication server is built in redhat9 ,
the database is mysql5 and client is build in linux.
 
I can use EAP/MD5 authentication type and it runs well.
When I config EAP/TLS-MD5 type, the client cann't be authenticated.
I have referenced many similar ways to resolve it, but I am failed.
 
I list my configuration files and the debug information below.
Who can give me some suggestion, Thank your very much for your help !
 
A. IN FREERADIUS:
 
1. Using CA.all to generate certificats:
/CA.all
Get those new files:
cert-clt.der cert-clt.p12 cert-clt.pem
cert-srv.p12 cert-srv.pem newcert.pem
newreq.pem root.der root.p12 root.pem
The default protect password is whaterver
2. Generate Diffie-Hellman key named dh and random key named random
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
3. eap.conf
default_eap_type = tls
tls {
private_key_password = whatever
private_key_file = /etc/mycerts/cert-srv.pem
certificate_file = /etc/mycerts/cert-srv.pem
CA_file = /etc/mycerts/root.pem
dh_file = /etc/mycerts/dh
random_file = /etc/mycerts/random
fragment_size = 1024
include_length = yes
}
4. radius.conf
authorize {
    preprocess
    suffix
    eap
    files
    sql
}
authenticate {
    eap
}
5. users
DEFAULT Auth-Type = EAP
        Fall-Through = 1
6. part of debug information
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization 
    TLS_accept: before/accept initialization 
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello  
    TLS_accept: SSLv3 read client hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0822], Certificate  
    TLS_accept: SSLv3 write certificate A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0071], CertificateRequest  
    TLS_accept: SSLv3 write certificate request A 
    TLS_accept: SSLv3 flush data 
    TLS_accept:error in SSLv3 read client certificate A 
In SSL Handshake Phase 
In SSL Accept mode 
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate 
    TLS_accept:failed in SSLv3 read client certificate A 
TLS_accept: SSLv3 write server done A 
    TLS_accept: SSLv3 flush data 
    TLS_accept:error in SSLv3 read client certificate A 
rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate 
    TLS_accept:failed in SSLv3 read client certificate A 
6533:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42
6533:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase 
In SSL Accept mode  
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails
 
B. IN HOSTAPD
 
1. some debug information
RADIUS packet matching with station 00:13:d7:20:00:90
IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state FAIL
IEEE 802.1X: Sending EAP Packet to 00:13:d7:20:00:90 (identifier 4)
IEEE 802.1X: 00:13:d7:20:00:90 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:13:d7:20:00:90 AUTH_PAE entering state HELD
br0: STA 00:13:d7:20:00:90 IEEE 802.1X: authentication failed
IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state IDLE
 
C. IN WPA_SUPPLICANT
 
1. wired.conf
# IEEE 802.1X with EAP-TLS
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
eapol_version=1
network={
 ssid=""
 key_mgmt=IEEE8021X
 eap=TLS
 identity="test"
 ca_cert="/root/root.pem"
 client_cert="/root/cert-clt.pem"
 private_key="/root/cert-clt.pem"
 private_key_passwd="whatever"
 eapol_flags=0
 priority=2
}
2. some debug information
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 9 (certificate is not yet valid) depth 1 
SSL: (where=0x4008 ret=0x22a)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad certificate
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081210/694567c4/attachment.html>

More information about the Freeradius-Users mailing list