1.- Sorry for the HTML mail mess. 2.- Now I have signed the client certificate by using the "Makefile" v.2.1.8-pre (just to be sure that I generate correctly the certificates). So, client certificate: - subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailAddress=user@example.com - issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAddress=admin@example.com/CN=radiusserv.esrf.fr Server certificate: - subject=/C=FR/ST=Isere/O=ESRF/CN=radiusserv.esrf.fr/emailAddress=admin@example.com - issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAddress=admin@example.com/CN=radiusserv.esrf.fr I have load ca.der under "Trusted Root CA" Also I have load client.p12 under "Personal Cerificates" And default configuration is at eap.conf - private_key_file = ${certdir}/server.pem - certificate_file = ${certdir}/server.pem - CA_file = ${cadir}/ca.pem Still work with "Microsoft: Smart Card or other Certificate" authentication method But not with "Intel: EAP-TTLS" with "PAP user/password", "Server Certificate Validation" + "Specify Server or Certificate Name" (if I remove last part... also works fine!!) Also I not be able to test EAP-TLS auth (not present on windows supplicant software) I have tried both CN as parameter for "Server or Certificate Name" (on the "Step 2 of 2" at the EAP-TTLS auth method of windows supplicant software) - Server or Certificate Name == swatzy01.esrf.fr - Server or Certificate Name == radiusserv.esrf.fr With same result: [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 Should I load server certificate at the "Intermediate Certification Authorities" on Windows side? Any other idea why it work fine with "Microsoft: Smart Card or other Certificate" authentication method and it is not consider a valid certificate when I employ EAP-TTLS? Thanks in advance for your help. Regards, Fernando. tnt@kalik.net wrote:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> Hi again:<br> <br> I have just tried with both CN that I could found at my 'client certificate'<br> <br> <big><tt><small><a class="moz-txt-link-abbreviated" href="mailto:subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailAddress=user@example.com">subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailAddress=user@example.com</a><br> <a class="moz-txt-link-abbreviated" href="mailto:issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAddress=admin@example.com/CN=radiusserv.esrf.fr">issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAddress=admin@example.com/CN=radiusserv.esrf.fr</a></small><br> </tt></big><br> So I have tested with:<br> - Server or Certificate Name == <big><tt><small>swatzy01.esrf.fr<br> </small></tt></big>- Server or Certificate Name == <big><tt><small>radiusserv.esrf.fr<br> </small></tt></big><br> But with the same result:<br> <br> <tt>Found Auth-Type = EAP<br> +- entering group authenticate {...}<br> [eap] Request found, released from the list<br> [eap] EAP/ttls<br> [eap] processing type ttls<br> [ttls] Authenticate<br> [ttls] processing EAP-TLS<br> [ttls] eaptls_verify returned 7<br> [ttls] Done initial handshake<br> [ttls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca<br> TLS Alert read:fatal:unknown CA<br> TLS_accept:failed in SSLv3 read client certificate A<br> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<br> SSL: SSL_read failed inside of TLS (-1), TLS session fails.<br> TLS receive handshake failed during operation<br> [ttls] eaptls_process returned 4<br> [eap] Handler failed in EAP/ttls<br> [eap] Failed in EAP select<br> ++[eap] returns invalid<br> Failed to authenticate the user.</tt><br> <br> I have already done also what "Ivan Kalik" said (altering certs/Makefile to sign client certificates with ca certificate instead of server certificate.)<br> Because of that, "Microsoft: Smart Card or other Certificate" works fine right now (not before)<br> But I'm still not able to perform "Intel: EAP-TTLS" with "PAP user/password", "Server Certificate Validation" + "Specify Server or Certificate Name" (if I remove last part... also works fine!!)<br> <br> thanks in advance for all your kindly help.<br> regards,<br> <br> Fernando.<br> <br> Alan Buxey wrote: <blockquote cite="mid:20091203135939.GA5878@lboro.ac.uk" type="cite"> <pre wrap="">Hi,
</pre> <blockquote type="cite"> <pre wrap="">...and I guest it is not due to the "Client Certificate" because it was succeed authenticated in the previous tests Probably is due to I am not sure what I should write in the box reserved for "Server or Certificate Name" (on the "Step 2 of 2" at the supplicant windows software) Anyone knows what I should write at this box? I could not find a "server name" or "domain name" at the certificate (as it is explained on the "windows in-line help") </pre> </blockquote> <pre wrap=""><!---->
this will be the CN of your server certificate.
so, if , when your RADIUS server got signed by the CA it became known as eg radius.happyorg.org then the name you put into the client is radius.happyorg.org
dotn forget, this is NOT a DNS name - it is purely a 'label' - just the CN of the server.... and you must have the CA present to check that server cert has been signed by your trusted CA (for otherwise anyone can make a server have a dumb cert with radius.happyorg.org as its CN
alan </pre> </blockquote> <br> </body> </html>
1. Learn how to use e-mail.
2. That issuer looks like server certificate. You say you made client certificates signed by ca certificate. This doesn't seem to be one of them. If you can do EAP-TLS with the client certificate, you should be able to do EAP-TTLS with them too.
Ivan Kalik