Solutions: Various certificate issues with MACOSX (TLS Errors)
A.Cudbard-Bell at sussex.ac.uk
Tue Jun 24 18:12:06 CEST 2008
Jelle Langbroek wrote:
> I'm posting this to the list just for future reference. Though this
> may not seem a freeRadius issue, it still had a lot to do with it.
> Probably people with the same issues will look in this list for answers.
> I've been struggling with various freeRadius certificate issues the
> past year. Mainly Apple's OSX had problems with connecting. The
> problem got more complicated because different OSX versions reacted
> differently and had to be configured differently.
> The errors that kept popping up in the freeRadius logs (and because of
> which authentication failed) where:
> Tue Jun 24 16:18:26 2008 : Error: TLS Alert read:warning:close notify
> Tue Jun 24 16:18:26 2008 : Auth: Login incorrect: [UserX/<via
> Auth-Type = EAP>] (from client NAS-name port 62 cli 001d4ffdebe8)
> The error on the OSX client was something like "802.1x Authentication
> has failed" or it gives a "TLS error".
> I recently found how to solve the problem on all Apple OSX clients.
> Looking backward it seems obvious, but I struggled with it for a long
> time nevertheless.
> * Server: freeRadius 2.0.5 using PEAP without client certificates.
> !Server certificate is self-signed!
> * AP: Linksys WAP54G, WPA-Enterprise, AES
> * Client: Apple MacOSX (tested with 10.3x 10.4x and 10.5x)
> * The Airport was configured as follows:
> - Created new 802.1x connection and set Configuration: "Disable 802.1x
> login", set username, password and network and set ONLY PEAP (for what
> I use on my WLAN).
> - Now connect to the network with WPA-Enterprise, username, password
> and 802.1x authentication.
> What will happen is that either you get a popup window regarding the
> self-signed servercertificate and you should push 'Continue' or
> authentication will fail.
Yes, because by default all certificates presented are untrusted, and so
the supplicant needs the user to verify the certificate manually. If the
user does not verify the validity of the certificate, the supplicant
will close the EAP session.
> When you get the popup window, push 'Continue' and the Airport will
> connect correctly. Make sure you DON'T set the trust settings
> regarding the certificate to "Always trust" because then
> authentication will fail in the future.
I simply don't see that behaviour, and the 900 Mac users on our
residential network don't see it either ....
> I don't know why this is the case, it just is... It means your users
> will always have to push the 'Continue' button when connecting.
It could be an a issue with the certificate of the CA not being present
in the keychain, or the CA not being trusted... but then all CAs are
untrusted by default.
> When authentication fails without a certificate popup, you probably
> already have a certificate installed (OSX did that itself) that refers
> to your freeRadius server.
> Could be the test certificate when freeRadius was launched for the
> first time.
> To resolve the problem on the OSX client go to "Programms - Utilities
> - Keychain access" and look for certificates regarding your
> radius-server. Now delete them or, if the certificates are the right
> ones, set the 'trust settings' to "Ask (every time)".
> The main problem here is how OSX deals with self-signed certificates.
> It somehow needs to ask the user for accepting the certificate every
> time it connects to freeRadius. When OSX is set to always trust it, it
> fails to send the right credentials or authentication information.
> I will try it with a certificate from a Certified CA. OSX should
> accept that one immediately. More on that later.
No it shouldn't. Just because windows has a screwed up attitude towards
certificates doesn't mean every other OS has to follow suit. By default
*all* certificates start out as untrusted for *all* applications;
actually that's not true, by default *all* certificates follow the
system default settings which are by default set to 'Never Trust'.
Just because a root CA's certificate is installed with the OS it doesn't
mean that all certificates signed by this CA should be trusted. So
*even* if the certification authority is present, the user will still be
prompted to validate the certificate signed by it....
> If anybody has more/other information on this, I'm happy to read that! :)
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
More information about the Freeradius-Users