Machine auth fails but user auth works

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Dec 4 23:38:47 CET 2015 

> On 4 Dec 2015, at 17:24, Dennis Xu <dxu at uoguelph.ca> wrote:
> 
> I have listed all root and intermediate CAs in the eap file:
> 

You're using confusing terminology.  'client side' certificate validation refers to the client validating the server certificate, not validating the client's certificate.  I honestly have no idea what you mean, please clarify your requirements using the correct terminology.

>                certificate_file = ${certdir}/ThawteCert.cer
> 
>                #  Trusted Root CA list
>                #
>                #  ALL of the CA's in this list will be trusted
>                #  to issue client certificates for authentication.
>                #
>                #  In general, you should use self-signed
>                #  certificates for 802.1x (EAP) authentication.
>                #  In that case, this CA file should contain
>                #  *one* CA certificate.
>                #
>                ca_file = ${cadir}/SSL_PrimaryCA.pem
>                ca_file = ${cadir}/SSL_SecondaryCA.pem
>                ca_file = ${cadir}/thawte_Premium_Server_CA.pem
> 
> The server certificate and its configuration should be ok, otherwise the user authentication would fail as well.

Well that's wrong, the certificates must be concatenated into a single file.  Nice syntax you've invented there, it's certainly not supported or one that works.

-- Alan D any issues with throwing a validation error unless a CONF_PAIR is marked up with PW_TYPE_MULTI?

> If the server is trying to valid client certificate, it will fail for sure as there is no certificate on clients and I don't think that is required for PEAP.

It's not, and the server doesn't explicitly request a client certificate for PEAP.  That only happens for EAP-TLS.  If the supplicant is presenting a certificate it's probably some snake oil cert that Microsoft auto generates, or something provided via AD.

I'm fairly certain the OpenSSL API doesn't include an option to ignore client certificates if they're presented.  It assumes no TLS peer would be so broken as to present a certificate it didn't want to use as part of authenticating itself.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151204/9d615594/attachment.sig>

More information about the Freeradius-Users mailing list