Replying to my own post. There was a permission problem which I've now fixed, but I still get failure: eapol_test: EAPOL: SUPP_BE entering state RECEIVE Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=6 length=44 Attribute 79 (EAP-Message) length=6 Value: 04060004 Attribute 80 (Message-Authenticator) length=18 Value: 09b3759d82eeeaaaf74cc3e25257cf11 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=6 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: Status notification: completion (param=failure) EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: result=0 EAPOL: EAP key not available EAPOL: EAP Session-Id not available WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE and in "radiusd -X": (6) eap_tls: Creating attributes from certificate OIDs (6) eap_tls: TLS-Client-Cert-Serial := "01" (6) eap_tls: TLS-Client-Cert-Expiration := "280414075944Z" (6) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org" (6) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (6) eap_tls: TLS-Client-Cert-Common-Name := "Example Certificate Authority" (6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose (6) eap_tls: >>> send TLS 1.2 [length 0002] (6) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (6) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed (6) eap_tls: ERROR: System call (I/O) error (-1) (6) eap_tls: ERROR: TLS receive handshake failed during operation (6) eap_tls: ERROR: [eaptls process] = fail (6) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 6 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # authenticate = invalid Regards, Nick On 17/04/2018 09:46, Nick Howitt wrote:
I am having problems with the server certificate. If I create a server certificate without the XP Extensions, using eapol_test I can get a validation success, but Windows clients give an 0x80420101 error. If I redo the certificates with the XP Extensions I see the following in the certificate: X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points:
Full Name: URI:http://www.example.com/example_ca.crl
But eapol_test ends in failure with the following part way through:
TLS: Certificate verification failed, error 7 (certificate signature failure) depth 0 for '/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org' CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org' err='certificate signature failure' EAP: Status notification: remote certificate verification (param=certificate signature failure)
and "radiusd -X gives:
(29) eap_tls: Done initial handshake (29) eap_tls: <<< recv TLS 1.2 [length 0002] (29) eap_tls: ERROR: TLS Alert read:fatal:decrypt error (29) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (29) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read) (29) eap_tls: ERROR: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error (29) eap_tls: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (29) eap_tls: ERROR: System call (I/O) error (-1) (29) eap_tls: ERROR: TLS receive handshake failed during operation (29) eap_tls: ERROR: [eaptls process] = fail (29) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (29) eap: Sending EAP Failure (code 4) ID 5 length 4
Do you know what I'm doing wrong?
TIA, Nick
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html