EAP-TLS with Windows CA and CRL for Wireless Auth

Rudolph Bott r at bott.im
Tue Mar 8 14:01:34 CET 2011


Hi List,

I've successfully setup the following scenario:

- Windows CA (Root-CA and Sub-CA)
- Cisco WLAN Controller + APs
- Windows 7 Domain Clients (+ Computer Certificates)
- EAP-TLS Auth with certificates


I created a small script to fetch the CRL from the CA and have it 
converted to PEM format:

-- snip --

#!/bin/bash

ID=$$

wget http://ca.host.name/CA.crl -O /tmp/CA.$ID.crl -q

if [ $? -eq 0 ]
then
	openssl crl -in /tmp/CA.$ID.crl -inform DER -out 
/etc/raddb/certs/crl.pem -outform PEM
	rm /tmp/CA.$ID.crl
	c_rehash /etc/raddb/certs/ > /dev/null
fi

-- snip --

c_reheash seems to work since I have the Symlinks in /etc/raddb/certs/.


The relevant parameters in eap.conf are set:

check_crl = yes
CA_path = ${certdir}/


However, as long as check_crl is set to 'yes', the following happens 
when a client tries to connect:

Tue Mar  8 13:09:48 2011 : Info: Found Auth-Type = EAP
Tue Mar  8 13:09:48 2011 : Info: # Executing group from file 
/etc/raddb/sites-enabled/default
Tue Mar  8 13:09:48 2011 : Info: +- entering group authenticate {...}
Tue Mar  8 13:09:48 2011 : Info: [eap] Request found, released from the list
Tue Mar  8 13:09:48 2011 : Info: [eap] EAP/tls
Tue Mar  8 13:09:48 2011 : Info: [eap] processing type tls
Tue Mar  8 13:09:48 2011 : Info: [tls] Authenticate
Tue Mar  8 13:09:48 2011 : Info: [tls] processing EAP-TLS
Tue Mar  8 13:09:48 2011 : Info: [tls] eaptls_verify returned 7
Tue Mar  8 13:09:48 2011 : Info: [tls] Done initial handshake
Tue Mar  8 13:09:48 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 
0a35], Certificate
Tue Mar  8 13:09:48 2011 : Error: --> verify error:num=36:unhandled 
critical CRL extension
Tue Mar  8 13:09:48 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], 
fatal certificate_unknown
Tue Mar  8 13:09:48 2011 : Error: TLS Alert write:fatal:certificate unknown
Tue Mar  8 13:09:48 2011 : Error:     TLS_accept: error in SSLv3 read 
client certificate B
Tue Mar  8 13:09:48 2011 : Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Tue Mar  8 13:09:48 2011 : Error: SSL: SSL_read failed in a system call 
(-1), TLS session fails.
Tue Mar  8 13:09:48 2011 : Debug: TLS receive handshake failed during 
operation
Tue Mar  8 13:09:48 2011 : Info: [tls] eaptls_process returned 4
Tue Mar  8 13:09:48 2011 : Info: [eap] Handler failed in EAP/tls
Tue Mar  8 13:09:48 2011 : Info: [eap] Failed in EAP select
Tue Mar  8 13:09:48 2011 : Info: ++[eap] returns invalid
Tue Mar  8 13:09:48 2011 : Info: Failed to authenticate the user.
Tue Mar  8 13:09:48 2011 : Auth: Login incorrect (unhandled critical CRL 
extension): [host/CLIENT123.domain/<via Auth-Type = EAP>] (from client 
WLAN-TEST port 1 cli 00-24-d7-8a-53-cc)
Tue Mar  8 13:09:48 2011 : Info: Using Post-Auth-Type Reject
Tue Mar  8 13:09:48 2011 : Info: # Executing group from file 
/etc/raddb/sites-enabled/default
Tue Mar  8 13:09:48 2011 : Info: +- entering group REJECT {...}
Tue Mar  8 13:09:48 2011 : Info: [attr_filter.access_reject] 	expand: 
%{User-Name} -> host/CLIENT123.domain
Tue Mar  8 13:09:48 2011 : Debug:  attr_filter: Matched entry DEFAULT at 
line 11
Tue Mar  8 13:09:48 2011 : Info: ++[attr_filter.access_reject] returns 
updated
Tue Mar  8 13:09:48 2011 : Info: Delaying reject of request 15 for 1 seconds
Tue Mar  8 13:09:48 2011 : Debug: Going to the next request
Tue Mar  8 13:09:48 2011 : Debug: Waking up in 0.9 seconds.
Tue Mar  8 13:09:49 2011 : Info: Sending delayed reject for request 15
Sending Access-Reject of id 228 to 10.70.11.15 port 32768
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000

When I disable CRL checks, everything works fine again.

Does anybody have any experience with implementing Windows based CRLs in 
Freeradius?

Radius Version is:

radiusd: FreeRADIUS Version 2.1.10, for host i686-suse-linux-gnu, built 
on Mar  5 2011 at 17:06:42

running on SLES 11 (compiled from source as RPM package)

Any kind of advice would be appreciated!


-- 
Mit freundlichen Grüßen/With Kind Regards
   Rudolph Bott



More information about the Freeradius-Users mailing list