EAP-TLS failure

Stephen kbaegis at gmail.com
Thu Oct 18 00:30:05 CEST 2018 

Hi all- trying to understand a particular failure/error. I've been using
dd-wrt, freeradius and strongswan together for almost a year (mostly)
without issue. Freeradius provides my eap-tls functionality passed
either through the wifi router (dd-wrt) or VPN (strongswan). Recently my
macbook was upgraded to MacOS Mojave and I appear to no longer auth to
wireless with the same cert. The cert still works for strongswan auth.

Below are my logs for either scenario:

[dd-wrt client auth failure]

(993) eap: Expiring EAP session with state 0xaa3880f3ad308d40
(993) eap: Finished EAP session with state 0xaa3880f3ad308d40
(993) eap: Previous EAP request found for state 0xaa3880f3ad308d40,
released from the list
(993) eap: Peer sent packet with method EAP TLS (13)
(993) eap: Calling submodule eap_tls to process data
(993) eap_tls: Continuing EAP-TLS
(993) eap_tls: Peer indicated complete TLS record size will be 7 bytes
(993) eap_tls: Got complete TLS record (7 bytes)
(993) eap_tls: [eaptls verify] = length included
(993) eap_tls: <<< recv TLS 1.2  [length 0002]
(993) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(993) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:140350E5:SSL routines:ACCEPT_SR_CERT:ssl handshake failure
(993) eap_tls: ERROR: System call (I/O) error (-1)
(993) eap_tls: ERROR: TLS receive handshake failed during operation
(993) eap_tls: ERROR: [eaptls process] = fail
(993) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP
sub-module failed
(993) eap: Sending EAP Failure (code 4) ID 8 length 4
(993) eap: Failed in EAP select
---

[strongswan client auth success]

(2171) eap: Expiring EAP session with state 0x92fe72999ff07f67
(2171) eap: Finished EAP session with state 0x92fe72999ff07f67
(2171) eap: Previous EAP request found for state 0x92fe72999ff07f67,
released from the list
(2171) eap: Peer sent packet with method EAP TLS (13)
(2171) eap: Calling submodule eap_tls to process data
(2171) eap_tls: Continuing EAP-TLS
(2171) eap_tls: Got final TLS record fragment (272 bytes)
(2171) eap_tls: [eaptls verify] = ok
(2171) eap_tls: Done initial handshake
(2171) eap_tls: <<< recv TLS 1.2  [length 1458]
(2171) eap_tls: TLS - Creating attributes from certificate OIDs
(2171) eap_tls:   TLS-Cert-Serial := "<omitted>"
(2171) eap_tls:   TLS-Cert-Expiration := "<omitted>"
(2171) eap_tls:   TLS-Cert-Subject :=
"/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root
CA/CN=server.mgmt/emailAddress=poseidon at services.mgmt"
(2171) eap_tls:   TLS-Cert-Issuer :=
"/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root
CA/CN=server.mgmt/emailAddress=poseidon at services.mgmt"
(2171) eap_tls:   TLS-Cert-Common-Name := "server.mgmt"
(2171) eap_tls: TLS - Creating attributes from certificate OIDs
(2171) eap_tls:   TLS-Client-Cert-Serial := "<omitted>"
(2171) eap_tls:   TLS-Client-Cert-Expiration := "<omitted>"
(2171) eap_tls:   TLS-Client-Cert-Subject :=
"/C=ZL/ST=Zero/L=Nowhere/O=Nulllabs/O=Endpoint/OU=Nulllabs-Endpoints/CN=mbp.home/emailAddress=poseidon at services.mgmt"
(2171) eap_tls:   TLS-Client-Cert-Issuer :=
"/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root
CA/CN=server.mgmt/emailAddress=poseidon at services.mgmt"
(2171) eap_tls:   TLS-Client-Cert-Common-Name := "mbp.home"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"<omitted>"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication, IPSec User, IPSec End System, E-mail Protection,
Code Signing"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.7"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.5"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.4"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.3"
(2171) eap_tls: TLS_accept: SSLv3 read client certificate A

What I should be seeing is the following:

[dd-wrt client success]

(1015) eap: Expiring EAP session with state 0xbd2980f9b0278d8b
(1015) eap: Finished EAP session with state 0xbd2980f9b0278d8b
(1015) eap: Previous EAP request found for state 0xbd2980f9b0278d8b,
released from the list
(1015) eap: Peer sent packet with method EAP TLS (13)
(1015) eap: Calling submodule eap_tls to process data
(1015) eap_tls: Continuing EAP-TLS
(1015) eap_tls: Peer ACKed our handshake fragment.  handshake is finished
(1015) eap_tls: [eaptls verify] = success
(1015) eap_tls: [eaptls process] = success
(1015) eap: Sending EAP Success (code 3) ID 14 length 4
(1015) eap: Freeing handler

This was shown by another dd-wrt client on the same setup (High Sierra).

Anyone else seeing similar issues with MacOS Mojave? Am I missing an
extended key usage parameter or am I doing something else wrong?

Thanks in advance.

More information about the Freeradius-Users mailing list