Hi Arran, the require_client_cert was set to true during my "EAP-TTLS + PAP (LDAP auth) + client cert" tests ... is there anything else to try? Regards, JM
On 22 Jan 2020, at 02:20, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 21 Jan 2020, at 20:02, Ján Máté <jan.mate@inf-it.com> wrote:
Hi list,
I successfully installed and configured our FreeRADIUS server with the following results:
EAP-TLS => works on Windows 10, iOS 13, macOS 10.15 (Catalina) EAP-TTLS + PAP (LDAP auth) => works on Windows 10, iOS 13, macOS 10.15 EAP-TTLS + PAP (LDAP auth) + client cert => NOT works on Windows 10, but works on iOS 13, macOS 10.15
The last option with Windows 10 produces the following error logs:
(185) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error
Mmm, an error in the error, OK.
(185) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
That's a bit better.
(185) eap_ttls: ERROR: System call (I/O) error (-1) (185) eap_ttls: ERROR: TLS receive handshake failed during operation (185) eap_ttls: ERROR: [eaptls process] = fail (185) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
You could try requiring the client certificate:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_...
But I honestly can't remember if that alters the handshake data the server sends to the client or just forces a handshake failure if the client doesn't provide a certificate.
Try it and report back :)
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html