Hi, I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS. There's a message in the log that clearly indicates that the CA wasn't found (--> verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds. I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates). I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt. Has anyone seen this before? I couldn't find any related messages in the FreeRADIUS archive. Thanks, Here's the log: rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=39, length=189 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000013014175746f6d6174696f6e55736572 Message-Authenticator = 0xebf0b398f32dc38984552b06634ef90e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 39 to 192.168.19.12 port 1035 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2fcae5dd2fda306cc163ff247674563 Finished request 37. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=40, length=352 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100a40d800000009a16030100950100009103014cb5184f29200ee95888008e509e4cf7d61e39b9688acd0a179f3f12fd982b03000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 State = 0xd2fcae5dd2fda306cc163ff247674563 Message-Authenticator = 0xbaf4c3763aa24c9f8ecb1bc1695bfbe4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 164 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 154 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0095], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 069f], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00af], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 40 to 192.168.19.12 port 1035 EAP-Message = 0x010204000dc000000787160301002a0200002603014cb5183db33a52670f42ebf1dd1d323435c9d1727572176f37deae32bcdf256400002f00160301069f0b00069b0006980002cf308202cb30820234a003020102020101300d06092a864886f70d010105050030819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e7340 EAP-Message = 0x6170706c652e636f6d301e170d3130313031303033313233365a170d3230313030393033313233365a3081a0310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d73514131193017060355040313104175746f6d6174696f6e5365727665723125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d00308189028181009c863c44ddc7f8e2d9153ce65d246a4576e7cad0 EAP-Message = 0x693a37f44cf8e71fbd4010fb0287128c6e4a5eae040a9d806ba510d76026c536a6e44a1341630f76a472f3a324aff010ccf26e168a523e9dac5b131512b6534209c4ddf0059e456767fef96ab15996e3e9e6d8c06aed16032ed09ec81a79e5cf2fcad21d43f93a382ef64afd0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100b3ab384f900eb95db0b5f932639f532d7993d262e5d4f95b0caf2f6778dc3f7ead0361033974828f3a564aa7642760c93c5f3293c69f4f13ed309bee53a0dcee4a07d59994d34a7e51ddef376f87c8ab8614f9e14dd233d1c7f7cb3af4dc571b EAP-Message = 0x2c456a6e2a857a132a9d26d2acc4be820b7c6265a0b541f3f31067a8ce921b7a0003c3308203bf30820328a003020102020900aee0069109e88a1e300d06092a864886f70d010105050030819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d301e170d3130313031303033303831335a170d32 EAP-Message = 0x30313030393033303831335a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2fcae5dd3fea306cc163ff247674563 Finished request 38. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=41, length=194 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060d00 State = 0xd2fcae5dd3fea306cc163ff247674563 Message-Authenticator = 0xa475a2642ff359874a9fc61a5522e311 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 41 to 192.168.19.12 port 1035 EAP-Message = 0x0103039b0d800000078730819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100eba6920d4e7026b5b56be1ffe4a92657531f57f5ec3151a3b08536f2c15ac37e6ca83945576dc7fa534379f00849d14f3ccb630c0cceff EAP-Message = 0x7c032eeedceda81ede4979d9c11aa32b94e13d2c55911c8910d74fe834a062c563b76f66377ba558adf01c29ad786385dcf067324f087f4e62f9bce9f1a15c0238d7068e6bff2436910203010001a382010530820101301d0603551d0e041604143d14bac4f677ed18b87223f0ef167fa28fb245a03081d10603551d230481c93081c680143d14bac4f677ed18b87223f0ef167fa28fb245a0a181a2a4819f30819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d EAP-Message = 0x735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d820900aee0069109e88a1e300c0603551d13040530030101ff300d06092a864886f70d010105050003818100e533646f2f3626e199b1617ea96c40568f8c210f770373587881beb74e8c5b439c6b43e075567d0fba0bcfdcf62e70bdca8240ca0156ea160648f09650898f1e4569aaccd3108a95d94a07f59f60b127626399f132d34825e5100c9986d7754d2a45b743d8b75037f032cb30e071a1128486e433f69a6039f6c06926a88e777716030100af0d0000a70301024000a100 EAP-Message = 0x9f30819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2fcae5dd0ffa306cc163ff247674563 Finished request 39. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=42, length=1274 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020304360d800000042c16030102d60b0002d20002cf0002cc308202c830820231a003020102020102300d06092a864886f70d010105050030819b310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311430120603550403130b526f7474656e4170706c653125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d301e170d3130313031323138333633355a170d3230313031313138333633355a30819e310b3009 EAP-Message = 0x060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311730150603550403130e4175746f6d6174696f6e557365723125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db2c1fc69d20a42a3101c93df6d6db4fab40fb77fdefd5334ba3ccfca3032417aefb71deb9ef75f51182010940a03c618ca1a879af099d1470fc8d8fcfd3d4d9cc3d1672bb7f EAP-Message = 0xed5c015ef660cbdb2f75eae83c658683164773db3ba34782fbba6ead164839b6b555c94fc355d24228545474a2d7a4ae732982ebffdaf3bb20fd0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010105050003818100505a1fcf9aa9fc38d3cc0fb6f6e2edfe0ab50af4aa358726dfd784e69461e3f0c539360a94995cce8bf85bf4f1cc53bd8eda704b135a698e89d157d042d602d1f78c2bbb4a3f2cc2fb9113b9d03f71f731c71cd9360ef4f762403e7c14fcd112401c7217321dbc1d2fb8b2168c0651c2eaade2f1292f4a7c5f8904a2c1844cfd16030100861000008200801ef0cf7c185512 EAP-Message = 0x86b4f42b2374ad3345f22e10c90614b872fa5688df1621c9acadc08593d71659adf9cce1550e199d0e0da86d99e25bab70888873d38f07f42e0c4a344fb5d3fc5788de9cacf4c182fb06fd176afd9a65d9297bea1e73acd3ffa6dfbc70e1014a2c7f6cf8f3d5342d96aaa32a1311b89e455586816c7b57564516030100860f0000820080a9de35c71327f318ebb962597c6f6503e073afe5aa279c1822463224fe189022c50ec10a915947ae451e3d39d798106d9ff5bfe7600ad6ce0da735ba4613898facdb2889ac642ed2efc1ca6e81b79594678e055fba42fddd1d16634b85b641587d349fe39e127080b9f8695a962c8ca0480f7b52cf6cbafa1e EAP-Message = 0x5ff67080001aa11403010001011603010030a11644efce0b94b9179c2e9aa9eb472e0869267e0bf174beae262e5f4e4bd0583db05bd6bf51fba61ba940eca8e658b0 State = 0xd2fcae5dd0ffa306cc163ff247674563 Message-Authenticator = 0x2a124c92c4da145bbd47a068a71f4293 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1068 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 02d6], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0086], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 42 to 192.168.19.12 port 1035 EAP-Message = 0x010400450d800000003b14030100010116030100308aeb9012d08c6b2e742f6f6defcbe397ce58cb4911aeeba0c6c2ac6d4e45b941898218a5e1bf55e35ed26ee1a29b3464 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2fcae5dd1f8a306cc163ff247674563 Finished request 40. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=43, length=194 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400060d00 State = 0xd2fcae5dd1f8a306cc163ff247674563 Message-Authenticator = 0x34e48ce176b27309dbd3b53091ad3816 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 43 to 192.168.19.12 port 1035 MS-MPPE-Recv-Key = 0x08d815790ebfb9a13cc81f79b0c756c8126e52f63338fd882c458eb019a48533 MS-MPPE-Send-Key = 0x1bc9637fd958191a0127c04a9b84812644caba495fcfc5ec3d3b02edc08fd72e EAP-Message = 0x03040004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "AutomationUser" Finished request 41. Going to the next request Waking up in 4.7 seconds. rad_recv: Accounting-Request packet from host 192.168.19.12 port 1031, id=44, length=169 Acct-Session-Id = "4CB26D4B-0000007B" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" NAS-Port-Type = Wireless-802.11 Connect-Info = "11ng" Vendor-26928-Attr-1 = 0x00000000 # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 192.168.19.12,NAS-IP-Address = 192.168.19.12,Acct-Session-Id = "4CB26D4B-0000007B",User-Name = "AutomationUser"' [acct_unique] Acct-Unique-Session-ID = "246d28e49e4f15d2". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.19.12/detail-20101012 [detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.19.12/detail-20101012 [detail] expand: %t -> Tue Oct 12 19:23:57 2010 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> AutomationUser ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> AutomationUser attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 44 to 192.168.19.12 port 1031 Finished request 42. Cleaning up request 42 ID 44 with timestamp +371 Going to the next request Waking up in 4.7 seconds.