eapol_test with TLS fails (nothing sent to freeradius)

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Jul 27 10:05:24 CEST 2015


Hi,

> EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
> TLS: Trusted root certificate(s) loaded
> OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:140C800D:SSL
> routines:SSL_use_certificate_file:ASN1 lib
> OpenSSL: SSL_use_certificate_file (PEM) --> OK
> OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed
> error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
> OpenSSL: pending error: error:0D0680A8:asn1 encoding
> routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:0D09A00D:asn1 encoding
> routines:d2i_PrivateKey:ASN1 lib
> OpenSSL: pending error: error:140CB00D:SSL
> routines:SSL_use_PrivateKey_file:ASN1 lib
> OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
> SSL: Private key loaded successfully
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
> EAP: EAP entering state METHOD

so client not too happy about certs... but looks like it loaded them okay still anyway
(if they were DER format these error messages would probably go)

> SSL: SSL_connect:SSLv3 read server hello A
> TLS: Certificate verification failed, error 7 (certificate signature
> failure) depth 1 for '/C=DE/ST=Hamburg/L=Schwarzenbek/O=tiri
> GmbH/emailAddress=ca at hotspot.tiri.li/CN=tiri CA'
> SSL: (where=0x4008 ret=0x233)
> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server certificate B
> OpenSSL: tls_connection_handshake - SSL_connect error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest algorithm
> OpenSSL: pending error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> SSL: 7 bytes pending from ssl_out
> SSL: Failed - tls_out available to report error
> SSL: 7 bytes left to be sent out (of total 7 bytes)

so client didnt like what the RADIUS server sent.


ensure that the client is using the correct CA details. ensure that the server is using the
correct details! and ensure that the client is also sending out any intermediate certs
that the client needs to built the trust chain from server cert to the root CA

> But there is still something missing.
> How is password for user "wlan_test" being transmitted?

the missing thing is just your knowledge about EAP-TLS protocol. there is no password - the
client is authenicated based on mutual trust of the certificate that it is using...and the clients
certificzte is protected by the private-key component of the certificate that only the authorised
client/user would know to allow that certificate to be loaded/read for use with EAP-TLS

EAP-TLS works very much like you showing a passport at the security section of airport.  the security
guard will recognise the document...and know that they have an agreement with your country...they will
check the contents of your passport...ensure its all present and correct and hasnt expired. 

alan


More information about the Freeradius-Users mailing list