Hi, I'm having an issue with FreeRADIUS 3.2.3 and the EAP module. It doesn't take into account my private PKI. I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work. I have no issues with FreeRADIUS 3.0.x My server is running RHEL 8 and my OpenSSL version is 1.1.1K Thanks for your help, Regards, --
mods-enabled/eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } gtc { auth_type = PAP } tls-config tls-common { private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem ca_file = ${cadir}/chain.pem ca_path = ${cadir} reject_unknown_intermediate_ca = no cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.2" ecdh_curve = "" cache { enable = no store { Tunnel-Private-Group-Id } } verify { } ocsp { enable = yes override_cert_url = no url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
ls -l certs total 32 lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem -rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem -rw-r-----. 1 root radiusd 1818 Jan 23 10:17 rootca.pem -rw-r-----. 1 root radiusd 2293 Jan 23 10:17 subca.pem -rw-r-----. 1 root radiusd 1704 Jan 23 10:18 server.key -rw-r-----. 1 root radiusd 8567 Jan 23 10:18 server.pem
debug (if reject_unknown_intermediate_ca = yes) [...] Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /CN=SubCA (TLS) untrusted certificate with depth [0] subject name /CN=device tls: There are untrusted certificates in the certificate chain. Rejecting. (10) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error (10) eap_tls: ERROR: (TLS) Alert write:fatal:internal error (10) eap_tls: ERROR: (TLS) Server : Error in error (10) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (10) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (10) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (10) eap_tls: ERROR: [eaptls process] = fail (10) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (10) eap: Sending EAP Failure (code 4) ID 26 length 4 (10) eap: Failed in EAP select (10) [eap] = invalid (10) } # authenticate = invalid (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject [...]