Hi,
I'm integrating hostap's EAP library and its EAP supplicant state
machine on an embedded device and am testing against the FreeRADIUS
server. I've got MD5 authentication going (yes, I know this is open to
attacks) and I have EAP-TTLS going as well. However, with EAP-TLS I'm
getting the error as per subject of this email. I'm getting the same
error if I set the EAP-TTLS config option "require_client_cert = yes".
It definitely is a problem with the certificate, but I don't know what
(or how to get more information about this). I created the test
certificates and copied the ca.pem file to the device with my hostap EAP
library and EAP supplicant state machine.
The FreeRadius log:
(4) Found Auth-Type = eap
(4) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x05594454060d4948
(4) eap: Finished EAP session with state 0x05594454060d4948
(4) eap: Previous EAP request found for state 0x05594454060d4948,
released from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: Continuing EAP-TLS
(4) eap_tls: [eaptls verify] = ok
(4) eap_tls: Done initial handshake
(4) eap_tls: TLS_accept: SSLv3/TLS write server done
(4) eap_tls: >>> send TLS 1.2 [length 0002]
(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message
tls: TLS_accept: Error in error
(4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:141A20F4:SSL
routines:ossl_statem_server_read_transition:unexpected message
(4) eap_tls: ERROR: System call (I/O) error (-1)
(4) eap_tls: ERROR: TLS receive handshake failed during operation
(4) eap_tls: ERROR: [eaptls process] = fail
(4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP
sub-module failed
(4) eap: Sending EAP Failure (code 4) ID 84 length 4
(4) eap: Failed in EAP select
(4) [eap] = invalid
(4) } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
The wireshark log (for EAP-TLS) looks like this:
No. Time Source Destination Protocol Length Info
16 2.721206 00:11:22:33:44:55 00:00:00:00:00:00 EAPOL
60 Start
17 2.722845 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
60 Request, Identity
18 2.741815 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP
60 Response, Identity
19 2.746876 192.168.1.2 192.168.1.4 RADIUS 144
Access-Request id=166
42 2.752227 192.168.1.4 192.168.1.2 RADIUS 106
Access-Challenge id=166
46 2.756640 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
60 Request, TLS EAP (EAP-TLS)
69 6.971847 00:11:22:33:44:55 cc:37:ab:cb:f6:98 TLSv1.2
226 Client Hello
70 7.084757 192.168.1.2 192.168.1.4 RADIUS 359
Access-Request id=65
112 7.149186 192.168.1.4 192.168.1.2 RADIUS 1110
Access-Challenge id=65
118 7.156721 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
1022 Request, TLS EAP (EAP-TLS)
119 7.162062 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP
60 Response, TLS EAP (EAP-TLS)
120 7.166973 192.168.1.2 192.168.1.4 RADIUS 157
Access-Request id=136
141 7.170477 192.168.1.4 192.168.1.2 RADIUS 1110
Access-Challenge id=136
145 7.176735 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
1022 Request, TLS EAP (EAP-TLS)
146 7.182956 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP
60 Response, TLS EAP (EAP-TLS)
147 7.188318 192.168.1.2 192.168.1.4 RADIUS 157
Access-Request id=166
166 7.191746 192.168.1.4 192.168.1.2 RADIUS 1063
Access-Challenge id=166
170 7.196867 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 TLSv1.2
975 Server Hello, Certificate, Server Key Exchange, Certificate
Request, Server Hello Done
257 16.852519 00:11:22:33:44:55 cc:37:ab:cb:f6:98
TLSv1.2 150 Client Key Exchange, Change Cipher Spec, Encrypted
Handshake Message
258 16.882712 192.168.1.2 192.168.1.4 RADIUS 283
Access-Request id=56
290 17.929500 192.168.1.4 192.168.1.2 RADIUS 86
Access-Reject id=56
296 18.007949 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
60 Failure
Any ideas?
Thanks in advance,
Mike.