<DIV>
<DIV> EAP/TLS TLS_accept error <BR>Hi:</DIV>
<DIV> </DIV>
<DIV>I want to build a IEEE 802.1x authentication environoment and </DIV>
<DIV>I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8, wpa_supplicant-0.4.8. The authentication server is built in redhat9 ,</DIV>
<DIV>the database is mysql5 and client is build in linux.</DIV>
<DIV> </DIV>
<DIV>I can use EAP/MD5 authentication type and it runs well.<BR>When I config EAP/TLS-MD5 type, the client cann't be authenticated.<BR>I have referenced many similar ways to resolve it, but I am failed.</DIV>
<DIV> </DIV>
<DIV>I list my configuration files and the debug information below.<BR>Who can give me some suggestion, Thank your very much for your help !</DIV>
<DIV> </DIV>
<DIV>A. IN FREERADIUS:</DIV>
<DIV> </DIV>
<DIV>1. Using CA.all to generate certificats:<BR>./CA.all<BR>Get those new files:<BR>cert-clt.der cert-clt.p12 cert-clt.pem<BR>cert-srv.p12 cert-srv.pem newcert.pem<BR>newreq.pem root.der root.p12 root.pem<BR>The default protect password is whaterver</DIV>
<DIV>2. Generate Diffie-Hellman key named dh and random key named random<BR>openssl dhparam -check -text -5 512 -out dh<BR>dd if=/dev/urandom of=random count=2</DIV>
<DIV>3. eap.conf<BR>default_eap_type = tls<BR>tls {<BR>private_key_password = whatever<BR>private_key_file = /etc/mycerts/cert-srv.pem<BR>certificate_file = /etc/mycerts/cert-srv.pem<BR>CA_file = /etc/mycerts/root.pem<BR>dh_file = /etc/mycerts/dh<BR>random_file = /etc/mycerts/random<BR>fragment_size = 1024<BR>include_length = yes<BR>}</DIV>
<DIV>4. radius.conf<BR>authorize {<BR> preprocess<BR> suffix<BR> eap<BR> files<BR> sql<BR>}<BR>authenticate {<BR> eap<BR>}</DIV>
<DIV>5. users<BR>DEFAULT Auth-Type = EAP<BR> Fall-Through = 1</DIV>
<DIV>6. part of debug information<BR>modcall: entering group authenticate for request 1<BR> rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/tls<BR> rlm_eap: processing type tls<BR> rlm_eap_tls: Authenticate<BR> rlm_eap_tls: processing TLS<BR> eaptls_verify returned 7 <BR> rlm_eap_tls: Done initial handshake<BR> (other): before/accept initialization <BR> TLS_accept: before/accept initialization <BR> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello <BR> TLS_accept: SSLv3 read client hello A <BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello <BR> TLS_accept: SSLv3 write server hello A <BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0822], Certificate <BR> TLS_accept: SSLv3 write certificate A <BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0071], CertificateRequest <BR> TLS_accept: SSLv3 write certificate request A <BR> TLS_accept: SSLv3 flush data <BR> TLS_accept:error in SSLv3 read client certificate A <BR>In SSL Handshake Phase <BR>In SSL Accept mode </DIV>
<DIV> Processing the authenticate section of radiusd.conf<BR>modcall: entering group authenticate for request 4<BR> rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/tls<BR> rlm_eap: processing type tls<BR> rlm_eap_tls: Authenticate<BR> rlm_eap_tls: processing TLS<BR> eaptls_verify returned 7 <BR> rlm_eap_tls: Done initial handshake<BR> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate <BR>TLS Alert read:fatal:bad certificate <BR> TLS_accept:failed in SSLv3 read client certificate A </DIV>
<DIV>TLS_accept: SSLv3 write server done A <BR> TLS_accept: SSLv3 flush data <BR> TLS_accept:error in SSLv3 read client certificate A <BR>rlm_eap_tls: Done initial handshake<BR> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate <BR>TLS Alert read:fatal:bad certificate <BR> TLS_accept:failed in SSLv3 read client certificate A <BR>6533:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42<BR>6533:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837:<BR>rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.<BR>In SSL Handshake Phase <BR>In SSL Accept mode <BR>rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails</DIV>
<DIV> </DIV>
<DIV>B. IN HOSTAPD</DIV>
<DIV> </DIV>
<DIV>1. some debug information<BR>RADIUS packet matching with station 00:13:d7:20:00:90<BR>IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state FAIL<BR>IEEE 802.1X: Sending EAP Packet to 00:13:d7:20:00:90 (identifier 4)<BR>IEEE 802.1X: 00:13:d7:20:00:90 REAUTH_TIMER entering state INITIALIZE<BR>IEEE 802.1X: 00:13:d7:20:00:90 AUTH_PAE entering state HELD<BR>br0: STA 00:13:d7:20:00:90 IEEE 802.1X: authentication failed<BR>IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state IDLE</DIV>
<DIV> </DIV>
<DIV>C. IN WPA_SUPPLICANT</DIV>
<DIV> </DIV>
<DIV>1. wired.conf<BR># IEEE 802.1X with EAP-TLS<BR>ctrl_interface=/var/run/wpa_supplicant<BR>ap_scan=0<BR>eapol_version=1</DIV>
<DIV>network={<BR> ssid=""<BR> key_mgmt=IEEE8021X<BR> eap=TLS<BR> identity="test"<BR> ca_cert="/root/root.pem"<BR> client_cert="/root/cert-clt.pem"<BR> private_key="/root/cert-clt.pem"<BR> private_key_passwd="whatever"<BR> eapol_flags=0<BR> priority=2<BR>}</DIV>
<DIV>2. some debug information<BR>SSL: SSL_connect:SSLv3 read server hello A<BR>TLS: Certificate verification failed, error 9 (certificate is not yet valid) depth 1 <BR>SSL: (where=0x4008 ret=0x22a)<BR>SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad certificate<BR>SSL: (where=0x1002 ret=0xffffffff)<BR>SSL: SSL_connect:error in SSLv3 read server certificate B<BR>OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<BR>SSL: 7 bytes pending from ssl_out<BR>SSL: Failed - tls_out available to report error</DIV></DIV>
<DIV> </DIV><br><!-- footer --><br><hr/>
<a href="http://www.yeah.net">网易免费邮,全球最大的中文免费邮箱</a>