Hi All,<br><br>I've been very successful at getting EAP-TLS functional, up to the point of actually getting the CRL check to work. A little background on my setup:<br><br>EAP-TLS Functional WITHOUT check_crl<br>CRL downloaded via http interface (windows2k) which is by default DER format. This is converted to PEM.<br>
CRL can be verified with" openssl crl -in crlfile.pem -text" -- This shows up perfectly, as expected, including the serial#s of certs that are revoked.<br><br>I can verify every cert, view with openssl -text etc. All of the certs are legit and work fine for non-crl auth so I don't think there is anything wrong with my certs. I've converted the private/public/cacerts into .pfx and extracted individual certs, just the cacerts, tried various bundles, everything is smooth, but makes no difference.<br>
The CA is running on win2k3, openssl isn't used on the freeradius box as a CA. <br>I run a perl script c_rehash to create the symbolic links as hashed names to the PEM certs (c_rehash even seems to 'know' the CRL file is a crl by making it whatever.r0)<br>
Also verified permissions (freeradius will fail anyways if permissions to the certs don't work).<br>In short, I've tried everything I can think of and no matter what, once I enable crl_check, clients are rejected.<br>
<br>Full error msg below, however, this is the initial error:<br><br>[tls] <<< TLS 1.0 Handshake [length 1076], Certificate <br>
--> verify error:num=3:unable to get certificate CRL <br><br><br>See my config below; Running radiusd -X -f<br><br><br><br>Here is my config:<br><br>certdir = ${confdir}/certs<br> cadir = ${confdir}/certs<br>
<br> private_key_password = "blah" <br> private_key_file = ${certdir}/ca/freeradius-priv.pem<br><br> # If Private key & Certificate are located in<br>
# the same file, then private_key_file &<br> # certificate_file must contain the same file<br> # name.<br> #<br> # If CA_file (below) is not used, then the<br>
# certificate_file below MUST include not<br> # only the server certificate, but ALSO all<br> # of the CA certificates used to sign the<br> # server certificate.<br>
certificate_file = ${certdir}/ca/freeradius-pub.pem<br><br> # Trusted Root CA list<br> #<br> # ALL of the CA's in this list will be trusted<br>
# to issue client certificates for authentication.<br> #<br> # In general, you should use self-signed<br> # certificates for 802.1x (EAP) authentication.<br>
# In that case, this CA file should contain<br> # *one* CA certificate.<br> #<br> # This parameter is used only for EAP-TLS,<br>
# when you issue client certificates. If you do<br> # not use client certificates, and you do not want<br> # to permit EAP-TLS authentication, then delete<br>
# this configuration item.<br> CA_file = ${cadir}/ca/ca.pem<br><br> #<br> # For DH cipher suites to work, you have to<br> # run OpenSSL to create the DH file first:<br>
#<br> # openssl dhparam -out certs/dh 1024<br> #<br> dh_file = ${certdir}/dh<br> random_file = ${certdir}/random<br>
<br> #<br> # This can never exceed the size of a RADIUS<br> # packet (4096 bytes), and is preferably half<br> # that, to accomodate other attributes in<br>
# RADIUS packet. On most APs the MAX packet<br> # length is configured between 1500 - 1600<br> # In these cases, fragment size should be<br> # 1024 or less.<br>
#<br> # fragment_size = 1024<br><br> # include_length is a flag which is<br> # by default set to yes If set to<br> # yes, Total Length of the message is<br>
# included in EVERY packet we send.<br> # If set to no, Total Length of the<br> # message is included ONLY in the<br> # First packet of a fragment series.<br>
#<br> # include_length = yes<br><br> # Check the Certificate Revocation List<br> #<br> # 1) Copy CA certificates and CRLs to same directory.<br>
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.<br> # 'c_rehash' is OpenSSL's command.<br> # 3) uncomment the line below.<br>
# 5) Restart radiusd<br> check_crl = yes<br> crl_path = "/etc/raddb/certs/ca/crl.pem"<br> CA_path = "/etc/raddb/certs/ca/"<br>
#pem_file_type = yes<br><br><br><br>Here is the error:<br><br><br>[tls] <<< TLS 1.0 Handshake [length 1076], Certificate <br>--> verify error:num=3:unable to get certificate CRL <br>[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca <br>
TLS Alert write:fatal:unknown CA <br> TLS_accept:error in SSLv3 read client certificate B <br>rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned<br>SSL: SSL_read failed in a system call (-1), TLS session fails.<br>
TLS receive handshake failed during operation<br>[tls] eaptls_process returned 4 <br>[eap] Handler failed in EAP/tls<br>[eap] Failed in EAP select<br>++[eap] returns invalid<br>Failed to authenticate the user.<br>Login incorrect: [<a href="http://apophxw88397hpyjx.apollogrp.edu">apophxw88397hpyjx.apollogrp.edu</a>] (from client wireless_access_point1 port 12289 cli 00-26-B0-61-FD-32)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -><br><br><br>Here is the CApath directory:<br><br>lrwxrwxrwx 1 root root 18 Oct 14 16:40 7a1f8db1.0 -> freeradius-pub.pem<br>
lrwxrwxrwx 1 root root 6 Oct 14 16:40 a7454e50.0 -> ca.pem<br>lrwxrwxrwx 1 root root 7 Oct 14 16:40 a7454e50.r0 -> crl.pem<br>-r--r----- 1 root radiusd 1760 Oct 14 16:18 ca.pem<br>-rw-rw-r-- 1 root radiusd 1877 Oct 14 16:40 crl.pem<br>
-r--r----- 1 root radiusd 1751 Oct 14 16:40 freeradius-priv.pem<br>-r--r----- 1 root radiusd 2268 Oct 14 16:40 freeradius-pub.pem<br><br><br>I can post a more lengthy failure log if someone wants it - my question is, has anyone got this working without running the openssl CA right on the same box as freeradius? What am I missing? Thank you for any assistance.<br>
<br><br><br><br><br><br>