Cisco IP Phone 802.1x EAP-TLS troubles
Hello, I'm running freeRADIUS v3.0.8. My first goal is just to get all our Cisco phones authorized. I want freeRADIUS to accept all phones based on the certificate presented by the supplicant. The phones should present Cisco's manufacturer-installed-certificate, and Cisco provides the CA certs for download, which I have done. I put the Cisco CA certs into /etc/freeradius/certs, changed eap config to use ca_path instead of ca_file, but I still get this: ------------------------- (4) eap: Peer s0ent method TLS (13) (4) eap: EAP TLS (13) (4) eap: Calling eap_tls to process EAP data (4) eap_tls: Authenticate (4) eap_tls: processing EAP-TLS (4) eap_tls: TLS Length 1235 (4) eap_tls: Length Included (4) eap_tls: eaptls_verify returned 11 (4) eap_tls: <<< Unknown TLS version [length 0005] (4) eap_tls: <<< TLS 1.2 [length 0343] (4) eap_tls: TLS Verify creating certificate attributes (4) eap_tls: TLS-Client-Cert-Serial := '06' (4) eap_tls: TLS-Client-Cert-Expiration := '211008171647Z' (4) eap_tls: TLS-Client-Cert-Subject := '/serialNumber=PID:CP-8841 SN:FCH20098MSK/C=US/O=Texana Center/OU=Building E/CN=CP-8841-SEP00CCFC4A9AD3' (4) eap_tls: TLS-Client-Cert-Issuer := '/C=US/O=Texana Center/OU=Building E/CN=CAPF-38b5f828/ST=Texas/L=4910 Airport Ave.' (4) eap_tls: TLS-Client-Cert-Common-Name := 'CP-8841-SEP00CCFC4A9AD3' (4) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate (4) eap_tls: >>> Unknown TLS version [length 0005] (4) eap_tls: >>> TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA tls: TLS_accept: Error in error (4) eap_tls: ERROR: SSL says: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation (4) eap_tls: eaptls_process returned 4 (4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject -------------------------------- I'm a total noob at PKI and I can't figure out what I'm doing wrong. Is this even possible to do? -Ryan
On Oct 10, 2016, at 12:30 PM, Ryan <directionless@gmail.com> wrote:
I'm running freeRADIUS v3.0.8. My first goal is just to get all our Cisco phones authorized. I want freeRADIUS to accept all phones based on the certificate presented by the supplicant. The phones should present Cisco's manufacturer-installed-certificate, and Cisco provides the CA certs for download, which I have done. I put the Cisco CA certs into /etc/freeradius/certs, changed eap config to use ca_path instead of ca_file, but I still get this: ... (4) eap_tls: >>> TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA tls: TLS_accept: Error in error
That's the phone saying it doesn't know about the CA.
I'm a total noob at PKI and I can't figure out what I'm doing wrong. Is this even possible to do?
The server also has to present a certificate to the phone. And the servers certificate has to be signed by a CA. If Cisco isn't going to sign the server cert (and they won't), then you'll need to get your CA onto the phone somehow. Alan DeKok.
On Monday 10 October 2016, Ryan <directionless@gmail.com> wrote:
Hello, I'm running freeRADIUS v3.0.8. My first goal is just to get all our Cisco phones authorized. I want freeRADIUS to accept all phones based on the certificate presented by the supplicant. The phones should present Cisco's manufacturer-installed-certificate, and Cisco provides the CA certs for download, which I have done. I put the Cisco CA certs into /etc/freeradius/certs, changed eap config to use ca_path instead of ca_file, but I still get this:
-------------------------
(4) eap: Peer s0ent method TLS (13) (4) eap: EAP TLS (13) (4) eap: Calling eap_tls to process EAP data (4) eap_tls: Authenticate (4) eap_tls: processing EAP-TLS (4) eap_tls: TLS Length 1235 (4) eap_tls: Length Included (4) eap_tls: eaptls_verify returned 11 (4) eap_tls: <<< Unknown TLS version [length 0005] (4) eap_tls: <<< TLS 1.2 [length 0343] (4) eap_tls: TLS Verify creating certificate attributes (4) eap_tls: TLS-Client-Cert-Serial := '06' (4) eap_tls: TLS-Client-Cert-Expiration := '211008171647Z' (4) eap_tls: TLS-Client-Cert-Subject := '/serialNumber=PID:CP-8841 SN:FCH20098MSK/C=US/O=Texana Center/OU=Building E/CN=CP-8841-SEP00CCFC4A9AD3' (4) eap_tls: TLS-Client-Cert-Issuer := '/C=US/O=Texana Center/OU=Building E/CN=CAPF-38b5f828/ST=Texas/L=4910 Airport Ave.' (4) eap_tls: TLS-Client-Cert-Common-Name := 'CP-8841-SEP00CCFC4A9AD3' (4) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate
Have you given root certificate of the client certificate issuer in tls-common maybe? Also check if there are any intermeddiate ca who signs client certificates
(4) eap_tls: >>> Unknown TLS version [length 0005] (4) eap_tls: >>> TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA tls: TLS_accept: Error in error (4) eap_tls: ERROR: SSL says: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation (4) eap_tls: eaptls_process returned 4 (4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject
--------------------------------
I'm a total noob at PKI and I can't figure out what I'm doing wrong. Is this even possible to do? -Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in
participants (3)
-
Alan DeKok -
Anirudh Malhotra -
Ryan