FW: OCSP Error: "Couldn't get issuer_cert" with EAP-TLS

Barry Hesk bhesk at hotmail.com
Wed Mar 11 15:32:18 CET 2020


Hi

Be really grateful for some assistance in this setup:


1.       FreeRadius 3.0.16 running on Ubuntu 18.04 LTS

2.       I have enabled EAP-TLS and have this working. The certificates (CA, Server, Client) have been created and imported from Microsoft CA server.

3.       I have copied the CA certificate to /etc/freeradius/3.0/certs/root.pem and the server certificate / private key to /etc/freeradius/3.0/certs/radcert.pem

4.       My eap module config looks like:

tls-config tls-common {
                private_key_password = <password>
                private_key_file = /etc/freeradius/3.0/certs/radcert.pem
certificate_file = /etc/freeradius/3.0/certs/radcert.pem
  ca_file = /etc/freeradius/3.0/certs/root.pem
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
ocsp {
                        enable = yes
                        override_cert_url = yes".
                        url = "http://<IP address>/ocsp<http://%3cIP%20address%3e/ocsp>"
                                        timeout = 0
            }
}

Without OCSP enabled, everything works. I can authenticate from a Wireless Access Point using a client certificate and EAP-TLS.

I have configured OCSP in my Microsoft PKI environment and confirmed it works using the inbuilt Microsoft tools and OCSP Responder. I can use the URL listed above "http://<IP address>/ocsp<http://%3cIP%20address%3e/ocsp>" to check the certificate validity outside of FreeRadius.

When I enable OSCP on FreeRadius, I receive an error message on client authentication "Could not get issuer_cert". FreeRADIUS doesn't attempt to query the OCSP URL (confirmed by packet capture). I have run FreeRadius in debug mode, where I see the message. "BARRYE540.intrinsic-comms.co.uk" is the CN of the client side certificate.

"/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" is my CA. This is the certificate in the file /etc/freeradius/3.0/certs/root.pem

This CA signed both my server certificate, and also the client certificate.

(6)   authenticate {
(6) eap: Expiring EAP session with state 0xbe16c925bb1ec429
(6) eap: Finished EAP session with state 0xbe16c925bb1ec429
(6) eap: Previous EAP request found for state 0xbe16c925bb1ec429, released from the list
(6) eap: Peer sent packet with method EAP TLS (13)
(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: Continuing EAP-TLS
(6) eap_tls: Got final TLS record fragment (430 bytes)
(6) eap_tls: [eaptls verify] = ok
(6) eap_tls: Done initial handshake
(6) eap_tls: TLS_accept: SSLv3/TLS write server done
(6) eap_tls: <<< recv TLS 1.0 Handshake [length 05ec], Certificate
(6) eap_tls: Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Cert-Serial := "65af3f02a6ec65a44c0e7514e4264d26"
(6) eap_tls:   TLS-Cert-Expiration := "210606133907Z"
(6) eap_tls:   TLS-Cert-Subject := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA"
(6) eap_tls:   TLS-Cert-Issuer := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA"
(6) eap_tls:   TLS-Cert-Common-Name := "intrinsic-comms-INTRINSIC-DC1-CA"
(6) eap_tls: Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Client-Cert-Serial := "61ab3a63000000000024"
(6) eap_tls:   TLS-Client-Cert-Expiration := "210311124806Z"
(6) eap_tls:   TLS-Client-Cert-Subject := "/CN=BARRYE540.intrinsic-comms.co.uk"
(6) eap_tls:   TLS-Client-Cert-Issuer := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA"
(6) eap_tls:   TLS-Client-Cert-Common-Name := "BARRYE540.intrinsic-comms.co.uk"
(6) eap_tls:   TLS-Client-Cert-Subject-Alt-Name-Dns := "BARRYE540.intrinsic-comms.co.uk"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, TLS Web Server Authentication"
(6) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "92:B0:76:E0:FF:A4:21:CA:90:86:5D:ED:30:95:76:ED:1B:39:7C:3C"
(6) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:6E:8C:54:CC:71:53:48:A7:7B:C7:56:CA:9F:BA:B2:00:D0:D0:B0:4D\n"
(6) eap_tls: Starting OCSP Request
(6) eap_tls: ERROR: Couldn't get issuer_cert for BARRYE540.intrinsic-comms.co.uk
(6) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(6) eap_tls: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_tls: <<< recv TLS 1.0 Handshake [length 0106], CertificateVerify
(6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_tls: <<< recv TLS 1.0 Handshake [length 0010], Finished
(6) eap_tls: TLS_accept: SSLv3/TLS read finished
(6) eap_tls: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_tls: >>> send TLS 1.0 Handshake [length 0010], Finished
(6) eap_tls: TLS_accept: SSLv3/TLS write finished
(6) eap_tls: (other): SSL negotiation finished successfully
(6) eap_tls: SSL Connection Established
(6) eap_tls: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 9 length 69
(6) eap: EAP session adding &reply:State = 0xbe16c925b81fc429
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 56 from 10.1.201.131:1812 to 10.1.200.5:1645 length 0
(6)   EAP-Message = 0x010900450d800000003b14030100010116030100300d1b86144514486ac8365c982b727cc67cc948850c735a28a07e93f2                                                                               b24bf4b0858e5ac5677c48fbcb1293e30098f482
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xbe16c925b81fc4295f491b5eb49b13aa
(6) Finished request

If there are any other further debugs or outputs that would assist, please let me know.

Thanks.





More information about the Freeradius-Users mailing list