Tomas Pelka wrote:
tnt@kalik.net wrote:
Alan DeKok wrote:
Tomas Pelka wrote:
have a problem with "advanced" EAP authentication methods including PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2. I wouldn't call them "advanced..."
Certs was created with the makefile included in freeradius sources.
All my experiments ending with: decapsulated EAP packet (code=4 id=4 len=4) from RADIUS server: EAP Failure Authentication works fine - you are getting an initial Access-Accept. But then:
[ttls] Skipping Phase2 due to session resumption [ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
Read cache section of eap.conf.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So if am I get it right, the problem is reauthentication, right? But
#tls section cache { enable = yes lifetime = 24 # hours max_entries = 255 } and even no cache (enable=no) do not work.
TTLS-md5/mschapv2 and PEAP, works with cache enabled (inside ttls section).
Thanks.
So the problem is in certificate: [tls] <<< TLS 1.0 Handshake [length 038d], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # openssl verify -CApath ca.pem client.pem client.pem: /C=FR/ST=Radius/O=Example Inc./CN=user@example.com/emailAddress=user@example.com error 20 at 0 depth lookup:unable to get local issuer certificate I'm little bit confused, I created the client certificate using make client. Isn't possible that freeradius Makefile is buggy? Cheers -- Tom