Cisco IP Phone 802.1x EAP-TLS troubles

Anirudh Malhotra 8zero2ops at gmail.com
Tue Oct 11 09:24:58 CEST 2016


On Monday 10 October 2016, Ryan <directionless at gmail.com> wrote:

> Hello,
> I'm running freeRADIUS v3.0.8.  My first goal is just to get all our
> Cisco phones authorized.  I want freeRADIUS to accept all phones based
> on the certificate presented by the supplicant.  The phones should
> present Cisco's manufacturer-installed-certificate, and Cisco provides
> the CA certs for download, which I have done.  I put the Cisco CA
> certs into /etc/freeradius/certs, changed eap config to use ca_path
> instead of ca_file, but I still get this:
>
> -------------------------
>
> (4) eap: Peer s0ent method TLS (13)
> (4) eap: EAP TLS (13)
> (4) eap: Calling eap_tls to process EAP data
> (4) eap_tls: Authenticate
> (4) eap_tls: processing EAP-TLS
> (4) eap_tls: TLS Length 1235
> (4) eap_tls: Length Included
> (4) eap_tls: eaptls_verify returned 11
> (4) eap_tls: <<< Unknown TLS version [length 0005]
> (4) eap_tls: <<< TLS 1.2  [length 0343]
> (4) eap_tls: TLS Verify creating certificate attributes
> (4) eap_tls:   TLS-Client-Cert-Serial := '06'
> (4) eap_tls:   TLS-Client-Cert-Expiration := '211008171647Z'
> (4) eap_tls:   TLS-Client-Cert-Subject := '/serialNumber=PID:CP-8841
> SN:FCH20098MSK/C=US/O=Texana Center/OU=Building
> E/CN=CP-8841-SEP00CCFC4A9AD3'
> (4) eap_tls:   TLS-Client-Cert-Issuer := '/C=US/O=Texana
> Center/OU=Building E/CN=CAPF-38b5f828/ST=Texas/L=4910 Airport Ave.'
> (4) eap_tls:   TLS-Client-Cert-Common-Name := 'CP-8841-SEP00CCFC4A9AD3'
> (4) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer
> certificate


Have you given root certificate of the client certificate issuer in
tls-common maybe?
Also check if there are any intermeddiate ca who signs client certificates


> (4) eap_tls: >>> Unknown TLS version [length 0005]
> (4) eap_tls: >>> TLS 1.2  [length 0002]
> (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
> tls: TLS_accept: Error in error
> (4) eap_tls: ERROR: SSL says: error:14089086:SSL
> routines:ssl3_get_client_certificate:certificate verify failed
> SSL: SSL_read failed in a system call (-1), TLS session fails.
> TLS receive handshake failed during operation
> (4) eap_tls: eaptls_process returned 4
> (4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
> failed
> (4) eap: Failed in EAP select
> (4)     [eap] = invalid
> (4)   } # authenticate = invalid
> (4) Failed to authenticate the user
> (4) Using Post-Auth-Type Reject
>
> --------------------------------
>
> I'm a total noob at PKI and I can't figure out what I'm doing wrong.
> Is this even possible to do?
> -Ryan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html



-- 
BR,
Anirudh Malhotra
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in


More information about the Freeradius-Users mailing list