Re: blockage in my Freeradius configuration [First SOLVED]self signed certificate in certificate chain [NOK]
I change rule and this is solved My file users _______________________________________ DEFAULT Huntgroup-Name == "cisco" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15", Fall-Through = Yes DEFAULT Group == "Central" DEFAULT Group == "DEP25", Client-Shortname == "25" DEFAULT Group == "DEP29", Client-Shortname == "29" DEFAULT Group == "DEP57", Client-Shortname == "57" DEFAULT Auth-Type := Reject ______________________________________ For my second problem ,It isn't resolve. debug : Error: TLS Alert read:fatal:unknown CA Sun Feb 2 22:03:14 2014 : Error: TLS_accept: failed in SSLv3 read client certificate A Sun Feb 2 22:03:14 2014 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Sun Feb 2 22:03:14 2014 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. and trace user: ./eapol_test -c eapol-config -a xen-squeeze-freeradius -p 1812 -s testing123 -r1 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=4 method=21 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=509) - Flags 0x80 SSL: TLS Message Length: 2527 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 1 for '/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=xen-squeeze-freeradius' CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin@example.com/CN=xen-squeeze-freeradius' err='self signed certificate in certificate chain' SSL: (where=0x4008 ret=0x230) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error SSL: 7 bytes left to be sent out (of total 7 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE My ca.cnf ... [ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = whatever output_password = whatever x509_extensions = v3_ca [certificate_authority] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = admin@example.com commonName = "xen-squeeze-freeradius" [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true ... My server.cnf ... [ req ] prompt = no distinguished_name = server default_bits = 2048 input_password = whatever output_password = whatever [server] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = admin@example.com commonName = "xen-squeeze-freeradius" err='self signed certificate in certificate chain' I followed the guide http://deployingradius.com/documents/configuration/certificates.html but Freeradius error is "self-signed certificate." How to remove this error? thank you!!!! 2014-01-31 Alan DeKok <aland@deployingradius.com>:
Yves Deuscher wrote:
For DEP commissioned the first connection goes well
Thu Jan 30 23:48:28 2014 : Info: ++[eap] returns noop Thu Jan 30 23:48:28 2014 : Info: ++[unix] returns updated Thu Jan 30 23:48:28 2014 : Info: [files] expand: %{Client-Shortname} -> DEP25 Thu Jan 30 23:48:28 2014 : Info: [files] users: Matched entry DEFAULT at line 208 Thu Jan 30 23:48:28 2014 : Info: ++[files] returns ok
You'll have to look at the rest of the debug log to see what's going on.
If the packets are being processed differently, it's because the packets are different. You'll have to look at the packets to see what's different. Then, re-write the rules to match both packets.
I miss something for the dynamic substitution takes place at each connection or I can not be the problem taken in the right direction have?
Each packet is completely independent. FreeRADIUS doesn't change it's behavior from one packet to the next.
More I try to configure a secure WPA / TTLS working with all key calculated installing Freeradius. by cons with mine I have a CA_unknown error do you have a clue?
Follow the EAP guide on http://deployingradius.com/ . It *will* work.
If you have unknown CA errors, it's because the certificate configuration is wrong. Follow the guide.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What does your eapolconfig look like? Are you actually telling it correctly what CA to expect and the CN of the RADIUS server? alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (2)
-
Alan Buxey -
Yves Deuscher