I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. sorry that I ask again but I want to be sure that I didn´t understand anything wrong. Is it not generally possible to configure the freeradius server so that only clients with username/password and client certificate can login successfully? For expample only users who choose PEAP with the right username and password and having a client certificate can login successfully. Or is the problem with the error in reading client certificate a problem in the clients? Thanks a lot! -------- Original-Nachricht --------
Datum: Fri, 17 Sep 2010 11:26:56 -0400 Von: John Dennis <jdennis@redhat.com> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> CC: Klaus Laus <superklausx@gmx.de> Betreff: Re: need help - force EAP-TTLS to validate the server certificate
On 09/17/2010 11:00 AM, Klaus Laus wrote:
thanks a lot for your answer.
Either move the "files" module before "eap", or use unlang to set it:
authorize { ... update control { EAP-TLS-Require-Client-Cert = yes } eap ... } I did the changes in the authorize section, and freeradius seems to
require the client certificate. But the server is not accept my certificate. I don't think that the certificate is bad because I can login any client with the same certificate when I use TLS instead of PEAP.
This is my way to login with PEAP on a windows xp client maybe I do anything wrong? : I import the pksc12 certificate from the freeradius server in the windows xp certificate management. When I type certmgr.msc under "run" I can see that the certificate is successfully imported. Then I scan for the wireless networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in testuser as user with the correct password. Here you can see the debug output (freeradius did not find my certificate):
That's right, the server didn't get your cert, it's right in the debug. As Alan said this isn't a server issue, it's a client issue, figure out why your client is not returning a cert.
TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. -- John Dennis <jdennis@redhat.com>
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
-- GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl