EAP-TLS with Windows CA and CRL for Wireless Auth
Hi List, I've successfully setup the following scenario: - Windows CA (Root-CA and Sub-CA) - Cisco WLAN Controller + APs - Windows 7 Domain Clients (+ Computer Certificates) - EAP-TLS Auth with certificates I created a small script to fetch the CRL from the CA and have it converted to PEM format: -- snip -- #!/bin/bash ID=$$ wget http://ca.host.name/CA.crl -O /tmp/CA.$ID.crl -q if [ $? -eq 0 ] then openssl crl -in /tmp/CA.$ID.crl -inform DER -out /etc/raddb/certs/crl.pem -outform PEM rm /tmp/CA.$ID.crl c_rehash /etc/raddb/certs/ > /dev/null fi -- snip -- c_reheash seems to work since I have the Symlinks in /etc/raddb/certs/. The relevant parameters in eap.conf are set: check_crl = yes CA_path = ${certdir}/ However, as long as check_crl is set to 'yes', the following happens when a client tries to connect: Tue Mar 8 13:09:48 2011 : Info: Found Auth-Type = EAP Tue Mar 8 13:09:48 2011 : Info: # Executing group from file /etc/raddb/sites-enabled/default Tue Mar 8 13:09:48 2011 : Info: +- entering group authenticate {...} Tue Mar 8 13:09:48 2011 : Info: [eap] Request found, released from the list Tue Mar 8 13:09:48 2011 : Info: [eap] EAP/tls Tue Mar 8 13:09:48 2011 : Info: [eap] processing type tls Tue Mar 8 13:09:48 2011 : Info: [tls] Authenticate Tue Mar 8 13:09:48 2011 : Info: [tls] processing EAP-TLS Tue Mar 8 13:09:48 2011 : Info: [tls] eaptls_verify returned 7 Tue Mar 8 13:09:48 2011 : Info: [tls] Done initial handshake Tue Mar 8 13:09:48 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 0a35], Certificate Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled critical CRL extension Tue Mar 8 13:09:48 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown Tue Mar 8 13:09:48 2011 : Error: TLS Alert write:fatal:certificate unknown Tue Mar 8 13:09:48 2011 : Error: TLS_accept: error in SSLv3 read client certificate B Tue Mar 8 13:09:48 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Tue Mar 8 13:09:48 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Mar 8 13:09:48 2011 : Debug: TLS receive handshake failed during operation Tue Mar 8 13:09:48 2011 : Info: [tls] eaptls_process returned 4 Tue Mar 8 13:09:48 2011 : Info: [eap] Handler failed in EAP/tls Tue Mar 8 13:09:48 2011 : Info: [eap] Failed in EAP select Tue Mar 8 13:09:48 2011 : Info: ++[eap] returns invalid Tue Mar 8 13:09:48 2011 : Info: Failed to authenticate the user. Tue Mar 8 13:09:48 2011 : Auth: Login incorrect (unhandled critical CRL extension): [host/CLIENT123.domain/<via Auth-Type = EAP>] (from client WLAN-TEST port 1 cli 00-24-d7-8a-53-cc) Tue Mar 8 13:09:48 2011 : Info: Using Post-Auth-Type Reject Tue Mar 8 13:09:48 2011 : Info: # Executing group from file /etc/raddb/sites-enabled/default Tue Mar 8 13:09:48 2011 : Info: +- entering group REJECT {...} Tue Mar 8 13:09:48 2011 : Info: [attr_filter.access_reject] expand: %{User-Name} -> host/CLIENT123.domain Tue Mar 8 13:09:48 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Mar 8 13:09:48 2011 : Info: ++[attr_filter.access_reject] returns updated Tue Mar 8 13:09:48 2011 : Info: Delaying reject of request 15 for 1 seconds Tue Mar 8 13:09:48 2011 : Debug: Going to the next request Tue Mar 8 13:09:48 2011 : Debug: Waking up in 0.9 seconds. Tue Mar 8 13:09:49 2011 : Info: Sending delayed reject for request 15 Sending Access-Reject of id 228 to 10.70.11.15 port 32768 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 When I disable CRL checks, everything works fine again. Does anybody have any experience with implementing Windows based CRLs in Freeradius? Radius Version is: radiusd: FreeRADIUS Version 2.1.10, for host i686-suse-linux-gnu, built on Mar 5 2011 at 17:06:42 running on SLES 11 (compiled from source as RPM package) Any kind of advice would be appreciated! -- Mit freundlichen Grüßen/With Kind Regards Rudolph Bott
On 08/03/11 13:01, Rudolph Bott wrote:
Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled critical CRL extension
This comes out of OpenSSL. OpenSSL can't parse your CRL. You may need a newer version of OpenSSL; what does: openssl crl -text -noout -in <thefile.pem> -inform pem ...say?
Hi Phil, openssl is able to read the crl, output als follows (I changed the URL/LDAP information): Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /DC=tld/DC=domain/CN=test Last Update: Mar 5 14:08:35 2011 GMT Next Update: Mar 13 02:28:35 2011 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:37:F6:0A:2D:71:71:DF:5B:F5:DB:90:FF:E4:4B:82:78:89:CB:E4:70 1.3.6.1.4.1.311.21.1: ... X509v3 CRL Number: 20 1.3.6.1.4.1.311.21.4: 110312141835Z . 2.5.29.46: 0..0...........ldap:///blah,blah,blah 1.3.6.1.4.1.311.21.14: 0..0...........ldap:///blah,blah,blah X509v3 Issuing Distrubution Point: critical 0-.+.).'http://domain.test/CA.crl Revoked Certificates: Serial Number: 3459AE3300000000001D Revocation Date: Mar 5 14:18:00 2011 GMT Serial Number: 33C46D66000000000014 Revocation Date: Mar 5 13:57:00 2011 GMT Serial Number: 131C3587000000000008 Revocation Date: Feb 16 07:24:00 2011 GMT Serial Number: 130CDC92000000000006 Revocation Date: Feb 16 07:24:00 2011 GMT Signature Algorithm: sha256WithRSAEncryption 5f:b6:ab:6e:30:cd:47:c2:97:e5:e9:3b:bc:c9:8e:76:22:74: ee:95:c5:1e:54:ed:a6:67:c7:a5:e1:90:d5... At least this seems to work... I forgot one thing: I think it *worked* during my first try. The error started when I downloaded the CRL for a second (third, fourth....) time. Am 08.03.2011 14:06, schrieb Phil Mayers:
On 08/03/11 13:01, Rudolph Bott wrote:
Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled critical CRL extension
This comes out of OpenSSL. OpenSSL can't parse your CRL.
You may need a newer version of OpenSSL; what does:
openssl crl -text -noout -in <thefile.pem> -inform pem
...say? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mit freundlichen Grüßen/With Kind Regards Rudolph Bott
participants (2)
-
Phil Mayers -
Rudolph Bott