<br><br><div class="gmail_quote">On Tue, Dec 9, 2008 at 5:35 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">Jason Wittlin-Cohen wrote:<br>
> I already do that with the Juniper Access Client. The problem is that<br>
> the client certificate has the user's name as the Common Name and that<br>
> is sent in the clear. PEAP/EAP-TLS sends the user's certificate through<br>
> the tunnel obviating the issue. I admit this isn't a large problem but<br>
> it would be a nice feature to have.<br>
<br>
</div> FreeRADIUS doesn't support RFC 5216, it's too new.<br>
<br>
It has been tested with PEAPv0/EAP-TLS in the past, but it's not a<br>
common configuration. So it might not work now.<br>
<font color="#888888"><br>
Alan DeKok.<br>
</font><div><div></div><div class="Wj3C7c">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>Alan,<br><br>I installed FreeRADIUS 2.1.3 on my Ubuntu 8.10 server and encountered the same failure with PEAPv0/EAP-TLS. I think I've discovered the problem. FreeRADIUS expects the client certificate to be sent before the SSL tunnel is established. When the client sends a response without a certificate, it complains that the client did not return a certificate and rejects the user. I've tested with the Juniper Access Client, Intel ProSet client, and XP's own supplicant and got the same result each time, so I don't think this is a client-side problem.<br>
<br>Log:<br><br>
[peap] <<< TLS 1.0 Handshake [length 0007], Certificate<br>
[peap] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure<br>
TLS Alert write:fatal:handshake failure<br>
TLS_accept:error in SSLv3 read client certificate B<br>
rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate<br>
SSL: SSL_read failed in a system call (-1), TLS session fails.<br>
TLS receive handshake failed during operation<br>
[peap] eaptls_process returned 4<br>
[peap] EAPTLS_OTHERS<br>
[eap] Handler failed in EAP/peap<br>
[eap] Failed in EAP select<br>
++[eap] returns invalid<br>
Failed to authenticate the user.<br>
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 55 cli 0013e87d571d)<br>
<br>
<br>What's interesting is that if I send a certificate outside the tunnel (Juniper allows you to send a certificate in addition to any authentication method - which would in this case, lead to the certificate being sent once outside the tunnel and again inside), authentication still fails, this time with the "No EAP session matching the State variable" error. <br>
<br>
rlm_eap: No EAP session matching the State variable.<br>
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request<br>
[eap] Failed in handler<br>
++[eap] returns invalid<br>
Failed to authenticate the user.<br>
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS tunnel)<br><br>eap.conf:<br><br> Module: Linked to module rlm_eap<br> Module: Instantiating eap<br> eap {<br> default_eap_type = "peap"<br>
timer_expire = 60<br> ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no<br> max_sessions = 2048<br> }<br> Module: Linked to sub-module rlm_eap_tls<br> Module: Instantiating eap-tls<br>
tls {<br> rsa_key_exchange = no<br> dh_key_exchange = yes<br> rsa_key_length = 512<br> dh_key_length = 512<br> verify_depth = 0<br> CA_path = "/etc/freeradius/certs/"<br>
pem_file_type = yes<br> private_key_file = "/etc/freeradius/certs/server.key"<br> certificate_file = "/etc/freeradius/certs/server.crt"<br> CA_file = "/etc/freeradius/certs/ca.crt"<br>
dh_file = "/etc/freeradius/certs/dh3072.pem"<br> random_file = "/dev/urandom"<br> fragment_size = 1024<br> include_length = yes<br> check_crl = yes<br> cipher_list = "HIGH"<br>
check_cert_issuer = "/C=US/O=FreeRadius CA/CN=FreeRadius CA/emailAddress=<a href="mailto:jwittlincohen@gmail.com">jwittlincohen@gmail.com</a>"<br> cache {<br> enable = no<br> lifetime = 24<br>
max_entries = 255<br> }<br> }<br> Module: Linked to sub-module rlm_eap_peap<br> Module: Instantiating eap-peap<br> peap {<br> default_eap_type = "tls"<br> copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br> proxy_tunneled_request_as_eap = no<br> }<br> Module: Linked to sub-module rlm_eap_mschapv2<br> Module: Instantiating eap-mschapv2<br> mschapv2 {<br> with_ntdomain_hack = no<br>
}<br><br>Jason Wittlin-Cohen<br><br>
<br><br><br><br><br><br><br>