On 06/28/2011 08:41 AM, Marco Londero wrote:
Hi folks,
I have a problem in my freeradius setup and I'm looking for some hints about that.
Scenario:
1) GNU/Linux client w/ WPA supplicant configured to request access through EAP-TLS using a certificate (in order to achieve 802.1x ethernet authentication) 2) 802.1x enabled switch where client is connected 3) user/pass 802.1x authentication works fine (MSCHAPv2 based) 4) freeradius authenticates users on LDAP
Freeradius debug log of the issue is here:
Debug logs should be a) not trimmed and b) gathered with "radiusd -X | tee log" for best effect. However:
------- http://pastie.org/2132916 -------
All certificates should be ok (both on server and client):
Well, they're not. The debug says: Mon Jun 27 15:42:13 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 0566], Certificate Mon Jun 27 15:42:13 2011 : Error: --> verify error:num=20:unable to get local issuer certificate Mon Jun 27 15:42:13 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca Mon Jun 27 15:42:13 2011 : Error: TLS Alert write:fatal:unknown CA Mon Jun 27 15:42:13 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Mon Jun 27 15:42:13 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Mon Jun 27 15:42:13 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Since you've trimmed the debug I can't see the config for your tls { } module, but you're missing a CA somewhere.