eap-ttls failing

Josh Hiner josh at remc1.org
Tue Jan 27 16:06:51 CET 2009

tnt at kalik.net wrote:
>> Whoops, I thought I solved this but I didnt. I tried setting up eap-tls
>> on a few different laptops each using windows xp to configure eap-tls
>> (not the wireless card client). I get the same results there. I have
>> nothing in my /etc/raddb/users file. I tried putting:
>> josh Auth-Type := eap
>>    Auth-Type := Accept
> Don't do that. Don't force Auth-Type. It's not going to help and it
> will break everything else.
>> On the XP client I also notice that even though I have the Certificate
>> Authority installed, the client certificate reports: Windows does not
>> have enough information to verify this certificate.
>> I figured that the certificate chain was broken. As a test, I imported
>> the server certificate and stuck it in the Trusted root authorities
>> section. This completed the chain (since the client cert was signed off
>> the server cert which is what the make client does in /etc/raddb/certs).
>> But, of course, the server cert is not meant to be a cert authority so
>> windows xp complains about this.
> That is the problem. Windows won't recongnize server certificate as
> intermediate ca any more. The "cure" is to try signing client
> certificates with ca certificate instead. I have posted to the list an
> altered Makefile with make caclient.pem command added a few days ago. If
> you can't find it I will post another one this evening.
> Ivan Kalik
> Kalik Informatika ISP
I did find the Makefile. Thanks! I tried to do a make caclient.pem but 
it threw this error:

openssl req -new  -out caclient.csr -keyout caclient.key -config 
Generating a 2048 bit RSA private key
writing new private key to 'caclient.key'
openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr  -key 
`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt 
-extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
wrong number of fields on line 1 (looking for field 6, got 1, '' left)
make: *** [caclient.crt] Error 1

I dont need to re-do my CA and server cert prior to making the client 
certs do I?

Here is my client.cnf. Its almost as if it doesnt understand that it 
needs to take the values from [ CA_default ]

[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = ./
certs                   = $dir
crl_dir                 = $dir/crl
database                = $dir/index.txt
new_certs_dir           = $dir
certificate             = $dir/server.pem
serial                  = $dir/serial
crl                     = $dir/crl.pem
private_key             = $dir/server.key
RANDFILE                = $dir/.rand
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 7300
default_crl_days        = 30
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
localityName            = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
prompt                  = no
distinguished_name      = client
default_bits            = 2048
input_password          = <hidden>
output_password         = <hidden>

countryName             = US
stateOrProvinceName     = Michigan
localityName            = Hancock
organizationName        = REMC1
emailAddress            = support at remc1.net

More information about the Freeradius-Users mailing list