EAP-TLS fails with 'TLS Alert read:fatal:bad certificate'

Tabor Kelly taborkelly+freeradius-users at gmail.com
Tue Oct 28 01:20:45 CET 2014 

I'm trying to setup an EAP-TLS network with freeradius-server-2.2.5. I
am using the example simple configuration with the username bob,
password hello, and the sample server/client certificates that were
generated in /usr/local/etc/raddb/certs. Authentication is failing
with the following output:

rad_recv: Access-Request packet from host 127.0.0.1 port 35906,
id=101, length=188
User-Name = "bob"
Called-Station-Id = "00-1A-EF-41-E2-2E:UBUNTU-TABOR"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = "34-23-87-00-14-3F"
Connect-Info = "CONNECT 11Mbps 802.11b"
Acct-Session-Id = "544EC2A6-00000015"
Framed-MTU = 1400
EAP-Message = 0x0250000d0d001503010002022a
State = 0x45e158e041b155dbff559d4ce378d770
Message-Authenticator = 0xd1b7786e651558d6c517f695892a9827
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 80 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry bob at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.

Just to clarify: does this mean that freeradius didn't like the
certificate that the client sent?

Thank you,

Tabor

More information about the Freeradius-Users mailing list