Help with non-compliant client (TLS issue)
geoff at hostfission.com
Wed May 17 08:16:09 CEST 2017
I am trying to use an ESP8266 to connect to a network using freeradius,
I have confirmed that the fault is not due to freeradius but since the
code in the SDK for the device is closed, I am limited in what I can do
to resolve the problem.
The server is configured and is working fine with EAP-PEAP using
MSCHAPv2 auth, which the device is supposed to support. Other devices
and eapol_test confirm that the radius server is setup correctly.
When the device attempts to authenticate the following in the freeradius
debug output is observed.
[eap] Request found, released from the list
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
TLS_accept: failed in unknown state
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
My assumption is that the device is erroneously trying to tell the
server that it is providing a client certificate, which it obviously is
not, but I do not know enough about TLS to verify this and would love
some feedback if anyone is a guru in this area.
Even if I provide a client certificate the above error still occurs,
clearly the fault is in the binary blob that Espressif provides.
Server Management & Monitoring
P: +61 2 9037 0321
More information about the Freeradius-Users