We've noticed several people have posted their eap.conf for eap-tls troubleshooting, and that both the check_cert_issuer and check_cert_cn are commented out. In these configurations is freeradius just checking for the certificate in the crl list and that the proper CA root is in the CA_file on the freeradius server?
What is gained by using check_cert_cn?
When we have check_cert_cn enabled it seems that the User-Name is translated differently from different types of devices. When a test user with an iPhone tries to connect he receives errors, but the same certificate on a Microsoft Vista wireless client is successfully authenticated. We've seen this with both freeradius v1.1.7 and v2.1.1. Which file controls the User-Name translation?
Fri Oct 24 19:46:58 2008 : Auth: rlm_eap_tls: Certificate CN (Test User (Company 1)) does not match specified value (test.user@company1.com)!
Fri Oct 24 19:46:58 2008 : Error: TLS Alert write:fatal:certificate unknown
Fri Oct 24 19:46:58 2008 : Error: TLS_accept:error in SSLv3 read client certificate B
Fri Oct 24 19:46:58 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Fri Oct 24 19:46:58 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
Fri Oct 24 19:46:58 2008 : Auth: Login incorrect: [test.user@company1.com] (from client tstca-wc-c01 port 29 cli 00-23-6C-5B-1C-23)
Regards,
Kas
Want to read Hotmail messages in Outlook? The Wordsmiths show you how. Learn Now