Hi,
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS) TLS: Trusted root certificate(s) loaded OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: SSL_use_certificate_file (PEM) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK SSL: Private key loaded successfully CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected EAP: EAP entering state METHOD
so client not too happy about certs... but looks like it loaded them okay still anyway (if they were DER format these error messages would probably go)
SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 7 (certificate signature failure) depth 1 for '/C=DE/ST=Hamburg/L=Schwarzenbek/O=tiri GmbH/emailAddress=ca@hotspot.tiri.li/CN=tiri CA' SSL: (where=0x4008 ret=0x233) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: tls_connection_handshake - SSL_connect error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm OpenSSL: pending error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error SSL: 7 bytes left to be sent out (of total 7 bytes)
so client didnt like what the RADIUS server sent. ensure that the client is using the correct CA details. ensure that the server is using the correct details! and ensure that the client is also sending out any intermediate certs that the client needs to built the trust chain from server cert to the root CA
But there is still something missing. How is password for user "wlan_test" being transmitted?
the missing thing is just your knowledge about EAP-TLS protocol. there is no password - the client is authenicated based on mutual trust of the certificate that it is using...and the clients certificzte is protected by the private-key component of the certificate that only the authorised client/user would know to allow that certificate to be loaded/read for use with EAP-TLS EAP-TLS works very much like you showing a passport at the security section of airport. the security guard will recognise the document...and know that they have an agreement with your country...they will check the contents of your passport...ensure its all present and correct and hasnt expired. alan