EAP-TLS and client certs issued with different CA's

Bruncko Michal Michal.Bruncko at zssos.sk
Sat Sep 13 16:17:31 CEST 2014 

Hello list,

I am successfully using Freeradius in our Wifi environment using EAP-TLS 
in single-CA environment - i.e same CA was used to sign both server and 
clients SSL certificates. Now I have started to use new certificate PKI 
with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I 
wanted to keep existing legacy CA in place. This means:
- that I wanted to use client certificates issued by two different CA's 
for EAP-TLS authentication
- and as I mentioned before, the new CA is a subCA of new rootCA.
- and server certificate is signed still using legacy CA

I looked over older posts and it looks that this scenario is supported 
by freeradius and can be achieved in two ways:
- using CA_file (within tls section in eap.conf) pointing to file 
bundling all CA related certificates (i.e. legacy CA, new SubCA and 
RootCA), or
- using CA_path pointing to directory with separate CA *.pem files (and 
running "c_rehash" over that directory). both subCA and rootCA in single 
pem file (but I tried to separate it as well)

The problem is, that everytime I wanted to authenticate with client 
using certificate signed by subCA, I always get:

[campuswifi] Request found, released from the list
[campuswifi] EAP/tls
[campuswifi] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 03d6], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
     TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[campuswifi] Handler failed in EAP/tls
[campuswifi] Failed in EAP select


Questions:
- what I am doing wrong? Miss I anything in order to get working EAP-TLS 
authentication over both legacy CA and new CA?


recall: please note that new CA is not self signed, but signed by 
another rootCA authority (created also by me).


thanks for any help

-- 
Ing. Michal Bruncko, PhD., CCNP, RHCSA

More information about the Freeradius-Users mailing list