EAP-TLS and client certs issued with different CA's
Hello list, I am successfully using Freeradius in our Wifi environment using EAP-TLS in single-CA environment - i.e same CA was used to sign both server and clients SSL certificates. Now I have started to use new certificate PKI with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I wanted to keep existing legacy CA in place. This means: - that I wanted to use client certificates issued by two different CA's for EAP-TLS authentication - and as I mentioned before, the new CA is a subCA of new rootCA. - and server certificate is signed still using legacy CA I looked over older posts and it looks that this scenario is supported by freeradius and can be achieved in two ways: - using CA_file (within tls section in eap.conf) pointing to file bundling all CA related certificates (i.e. legacy CA, new SubCA and RootCA), or - using CA_path pointing to directory with separate CA *.pem files (and running "c_rehash" over that directory). both subCA and rootCA in single pem file (but I tried to separate it as well) The problem is, that everytime I wanted to authenticate with client using certificate signed by subCA, I always get: [campuswifi] Request found, released from the list [campuswifi] EAP/tls [campuswifi] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 03d6], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [campuswifi] Handler failed in EAP/tls [campuswifi] Failed in EAP select Questions: - what I am doing wrong? Miss I anything in order to get working EAP-TLS authentication over both legacy CA and new CA? recall: please note that new CA is not self signed, but signed by another rootCA authority (created also by me). thanks for any help -- Ing. Michal Bruncko, PhD., CCNP, RHCSA
hello again forgot to mention freeradius version - 2.1.12 (on centos 6) thanks again michal 2014-09-13 16:17 odosielateľ napísal:
Hello list,
I am successfully using Freeradius in our Wifi environment using EAP-TLS in single-CA environment - i.e same CA was used to sign both server and clients SSL certificates. Now I have started to use new certificate PKI with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I wanted to keep existing legacy CA in place. This means: - that I wanted to use client certificates issued by two different CA's for EAP-TLS authentication - and as I mentioned before, the new CA is a subCA of new rootCA. - and server certificate is signed still using legacy CA
I looked over older posts and it looks that this scenario is supported by freeradius and can be achieved in two ways: - using CA_file (within tls section in eap.conf) pointing to file bundling all CA related certificates (i.e. legacy CA, new SubCA and RootCA), or - using CA_path pointing to directory with separate CA *.pem files (and running "c_rehash" over that directory). both subCA and rootCA in single pem file (but I tried to separate it as well)
The problem is, that everytime I wanted to authenticate with client using certificate signed by subCA, I always get:
[campuswifi] Request found, released from the list [campuswifi] EAP/tls [campuswifi] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 03d6], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [campuswifi] Handler failed in EAP/tls [campuswifi] Failed in EAP select
Questions: - what I am doing wrong? Miss I anything in order to get working EAP-TLS authentication over both legacy CA and new CA?
recall: please note that new CA is not self signed, but signed by another rootCA authority (created also by me).
thanks for any help
Bruncko Michal wrote:
I am successfully using Freeradius in our Wifi environment using EAP-TLS in single-CA environment - i.e same CA was used to sign both server and clients SSL certificates. Now I have started to use new certificate PKI with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I wanted to keep existing legacy CA in place. This means: - that I wanted to use client certificates issued by two different CA's for EAP-TLS authentication - and as I mentioned before, the new CA is a subCA of new rootCA. - and server certificate is signed still using legacy CA
You will need to configure two different "eap" modules. One for the first CA, and the another for the second CA. Then in the "authorize" section, look at the User-Name. For one set of users, run the "eap_ca1" module. For another set of users, run the "eap_ca2" module. You will need to list "eap_ca1" and "eap_ca2" in the "authenticate" section, too.
Questions: - what I am doing wrong? Miss I anything in order to get working EAP-TLS authentication over both legacy CA and new CA?
The EAP module handles only one CA. If you need two CAs, you need two EAP modules. Alan DeKok.
Thanks Alan for very clear responses. 2014-09-13 17:58 odosielateľ napísal:
Bruncko Michal wrote:
I am successfully using Freeradius in our Wifi environment using EAP-TLS in single-CA environment - i.e same CA was used to sign both server and clients SSL certificates. Now I have started to use new certificate PKI with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I wanted to keep existing legacy CA in place. This means: - that I wanted to use client certificates issued by two different CA's for EAP-TLS authentication - and as I mentioned before, the new CA is a subCA of new rootCA. - and server certificate is signed still using legacy CA
You will need to configure two different "eap" modules. One for the first CA, and the another for the second CA.
Then in the "authorize" section, look at the User-Name. For one set of users, run the "eap_ca1" module. For another set of users, run the "eap_ca2" module.
You will need to list "eap_ca1" and "eap_ca2" in the "authenticate" section, too.
Questions: - what I am doing wrong? Miss I anything in order to get working EAP-TLS authentication over both legacy CA and new CA?
The EAP module handles only one CA. If you need two CAs, you need two EAP modules.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Bruncko Michal