[EAP-TLS Windows 7] Problem with chain certificate on the client side
Hi all, My PKI infrastructure is hierarchical, meaning that client certificate path looks like below: ROOT_CA->Sub1_CA->Sub2_CA->Client_Cert Client_Cert & Sub2_CA purposes are set correctly. After I import client certificate (client.p12) into the Windows Cert Store the following events occur: -Root CA cert is imported into the Trusted Root CAs, -every sub CA cert (Sub1 CA & Sub2 CA) is imported into the Intermediate CAs, -user's cert is imported into Personal Certificates, I can't connect.... As soon as I delete Sub2 CA (that is, the CA certificate of the certificate authority which issued client's certificate) I am able to connect successfully. I suspect that Windows 7 supplicant sends entire chain of client certificate to FreeRadius server what makes it confused. I suppose that FreeRadius cannot verify Sub2_CA certificate received from the client because its purpose is not "Client Auth". As a result FreeRadius outputs the following message: *--> verify error:num=26:unsupported certificate purpose [tls] >>> TLS 1.0 Alert [length 0002], fatal unsupported_certificate TLS Alert write:fatal:unsupported certificate TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation* Below you can find two debug outputs. First one represents situation when Sub2 CA is present in the Intermediate CAs Store and another one shows the case when Sub2 CA was deleted. Additionally, CA_file in the eap.conf is set to ${cadir}/Sub2_CA_*entire_chain*.pem When I try to connect from linux machine everything works great (wpa supplicant doesn't send entire client's certificate chain toward radius server, it sends only client cert - the last cert from the chain). The problem arised while connecting from Windows 7 machine. Is there any way to configure FreeRadius server to explicitly accept intermediate CAs received from the client supplicant? Appreciate any hints. Gabriel ############################################### ################## FAILD ###################### ################## FAILD ###################### ############################################### rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=182, length=193 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 182 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=183, length=298 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 95 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 005a], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0578], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00f9], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 183 to 172.16.16.1 port 32770 EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=184, length=199 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 184 to 172.16.16.1 port 32770 EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=185, length=1695 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 5695 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 185 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=186, length=1695 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] More fragments to follow [tls] eaptls_verify returned 10 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 186 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=187, length=1695 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] More fragments to follow [tls] eaptls_verify returned 10 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 187 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=188, length=1448 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 13f3], Certificate --> verify error:num=26:unsupported certificate purpose [tls] >>> TLS 1.0 Alert [length 0002], fatal unsupported_certificate TLS Alert write:fatal:unsupported certificate TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 2762_hd.test6 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 188 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF Waking up in 3.9 seconds. Cleaning up request 0 ID 182 with timestamp +23 Cleaning up request 1 ID 183 with timestamp +23 Cleaning up request 2 ID 184 with timestamp +23 Cleaning up request 3 ID 185 with timestamp +23 Cleaning up request 4 ID 186 with timestamp +23 Cleaning up request 5 ID 187 with timestamp +23 Waking up in 1.0 seconds. Cleaning up request 6 ID 188 with timestamp +23 Ready to process requests. ############################################### ################## ACCEPT ###################### ################## ACCEPT ###################### ############################################### rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=189, length=193 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 189 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=190, length=298 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 95 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 005a], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0578], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00f9], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 190 to 172.16.16.1 port 32770 EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=191, length=199 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 191 to 172.16.16.1 port 32770 EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=192, length=1695 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2193 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 192 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=193, length=914 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0645], Certificate [tls] chain-depth=3, [tls] error=0 [tls] --> User-Name = 2762_hd.test6 [tls] --> BUF-Name = SNAKE OIL ROOT CA [tls] --> subject = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate Services/O=Snake Oil Company/C=PL [tls] --> issuer = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate Services/O=Snake Oil Company/C=PL [tls] --> verify return:1 [tls] chain-depth=2, [tls] error=0 [tls] --> User-Name = 2762_hd.test6 [tls] --> BUF-Name = SNAKE OIL CA [tls] --> subject = /CN=SNAKE OIL CA/O=Snake Oil Company 2/C=PL [tls] --> issuer = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate Services/O=Snake Oil Company/C=PL [tls] --> verify return:1 [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = 2762_hd.test6 [tls] --> BUF-Name = SNAKE OIL WIFI CA [tls] --> subject = /CN=SNAKE OIL WIFI CA/O=Snake Oil Company 2/C=PL [tls] --> issuer = /CN=SNAKE OIL CA/O=Snake Oil Company 2/C=PL [tls] --> verify return:1 [tls] Verifying client certificate: /etc/freeradius/geppetto.sh %{TLS-Client-Cert-Filename} %{Called-Station-Id} [tls] expand: %{TLS-Client-Cert-Filename} -> /tmp/radiusd/freeradius.client.XXnI1oCe [tls] expand: %{Called-Station-Id} -> XX-XX-XX-XX-XX-XX:SSID + GREP=/bin/grep + LDAP=/usr/bin/ldapsearch + OPENSSL=/usr/bin/openssl + cp /tmp/radiusd/freeradius.client.XXnI1oCe /tmp/ + exit 0 Exec-Program output: Exec-Program: returned: 0 [tls] Client certificate CN 2762_hd.test6 passed external validation [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = 2762_hd.test6 [tls] --> BUF-Name = 2762_hd.test6 [tls] --> subject = /emailAddress=2762_hd.test6@snakeoil.com/CN=2762_hd.test6/GN=HD/SN=Test6/OU=Operations/OU=HelpDesk/O=Snake Oil Company [tls] --> issuer = /CN=SNAKE OIL WIFI CA/O=Snake Oil Company 2/C=PL [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 193 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=194, length=199 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 194 to 172.16.16.1 port 32770 MS-MPPE-Recv-Key = 0xFF MS-MPPE-Send-Key = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF User-Name = "2762_hd.test6" Finished request 5. Going to the next request Waking up in 4.9 seconds. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain... Sent from the FreeRadius - User mailing list archive at Nabble.com.
As soon as I delete Sub2 CA (that is, the CA certificate of the certificate authority which issued client's certificate) I am able to connect successfully.
Does FR know this Sub2 CA? i.e: is CA certificate chain file referenced in eap.conf? If not, try to concatenate certificate authority files into a file. # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/{certificate authority chain file}
As I mentioned before CA_file in the eap.conf is set to ${cadir}/Sub2_CA_*entire_chain*.pem Is there any difference between concatenated CA file and certificate chain? Gabriel -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Well, yes, there is. What I meant to say is, you need to set CA to a file which has all the certificates of the chain: ROOT_CA, Sub1_CA and Sub2_CA. When speaking to certificate files, I call the concatenated one "certificate chain file", but it's another concept: http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.i... 2012/4/25 jinx_20 <gabriel_skupien@o2.pl>
As I mentioned before CA_file in the eap.conf is set to ${cadir}/Sub2_CA_*entire_chain*.pem
Is there any difference between concatenated CA file and certificate chain?
Gabriel
-- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, to be sure that we understand each other... My Sub2_CA_entire_chain.pem looks like this: -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXXXXXXXXXX -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- YYYYYYYYYYYYYYYYYYYYYYYYYYYYY -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ZZZZZZZZZZZZZZZZZZZZZZZZZZ -----END CERTIFICATE----- where XXXXXXXXXXXXXXXXXXXXXX is Root_CA certificate, YYYYYYYYYYYYYYYYYYYYYYYYYYYYY is Sub1_CA certificate and ZZZZZZZZZZZZZZZZZZZZZZZZZZ is Sub2_CA certificate. For me this a certificate chain which in that special case equals concatenated file. Am I correct? Gabriel -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain... Sent from the FreeRadius - User mailing list archive at Nabble.com.
2012/4/25 jinx_20 <gabriel_skupien@o2.pl>
Ok, to be sure that we understand each other...
My Sub2_CA_entire_chain.pem looks like this:
-----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXXXXXXXXXX -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- YYYYYYYYYYYYYYYYYYYYYYYYYYYYY -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ZZZZZZZZZZZZZZZZZZZZZZZZZZ -----END CERTIFICATE-----
where XXXXXXXXXXXXXXXXXXXXXX is Root_CA certificate, YYYYYYYYYYYYYYYYYYYYYYYYYYYYY is Sub1_CA certificate and ZZZZZZZZZZZZZZZZZZZZZZZZZZ is Sub2_CA certificate.
For me this a certificate chain which in that special case equals concatenated file. Am I correct?
Yes, so the problem must be in how were generated those certs, and that is not a FR-related issue.
On 25/04/12 10:39, jinx_20 wrote:
Is there any way to configure FreeRadius server to explicitly accept intermediate CAs received from the client supplicant?
No, it should not be needed and should work; but there might be a logic error in the various SSL verify options or callbacks; OpenSSL is hugely tedious in this regard. Can you supply the CA chain and one client cert (no key required)? Which version of FreeRADIUS and OpenSSL?
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 2 2012 at 15:38:19 OpenSSL 0.9.8o 01 Jun 2010 I wouldn't like to share our private production certificates but if you really need it to help us I will set up a mirror testing PKI environment and send you all required certificates. Regards, Gabriel -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 25/04/12 12:42, jinx_20 wrote:
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 2 2012 at 15:38:19 OpenSSL 0.9.8o 01 Jun 2010
I wouldn't like to share our private production certificates but if you really need it to help us I will set up a mirror testing PKI environment and send you all required certificates.
Well, if you want *me* to look at it, I would need the certs, or instructions to generate a PRECISELY equivalent set. Others might be able to spot the problem without that, but I'm not even going to try with a test datasource ;o)
Attached you can find Sub2_CA chain and end user certificate issued by Sub2 CA. jinx ##################################################### End user certificate: ##################################################### Bag Attributes localKeyID: B8 D0 2D C0 14 F7 6B 88 15 8A 9E FA C4 F8 4E A5 BE CA D1 46 friendlyName: __tmp_enduser subject=/emailAddress=__tmp_enduser@company.com/CN=__tmp_enduser/GN=Tmp/SN=Enduser/OU=Organizational Unit/O=Company issuer=/CN=TMP WIFI CA/O=Company/C=US -----BEGIN CERTIFICATE----- MIIFXDCCA0SgAwIBAgIIOe110e6EbFEwDQYJKoZIhvcNAQENBQAwNTEUMBIGA1UE AwwLVE1QIFdJRkkgQ0ExEDAOBgNVBAoMB0NvbXBhbnkxCzAJBgNVBAYTAlVTMB4X DTEyMDQyNzA2MjkwNloXDTEzMDQyNzA2MjkwNlowgZIxKDAmBgkqhkiG9w0BCQEW GV9fdG1wX2VuZHVzZXJAY29tcGFueS5jb20xFjAUBgNVBAMMDV9fdG1wX2VuZHVz ZXIxDDAKBgNVBCoMA1RtcDEQMA4GA1UEBAwHRW5kdXNlcjEcMBoGA1UECwwTT3Jn YW5pemF0aW9uYWwgVW5pdDEQMA4GA1UECgwHQ29tcGFueTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMqo3prU535P7sipcOEdHlo2piQ/VQ4dumbxHIm2 CdDSqQ+fH8khvAhbZHhqIOm4WnZxkwT8gDzNXKtV2D0N2SnELM/yQbF03kIThC/u mMpodQJG4vkksPpRRFTf1DpBLUY74CF4ZGu8w2l4Ow73vu+oHc7LZtN96BzJJlbJ So/BeVw42S4ONi1iQZxRomNnSDxaG0Seb6IxzzW8oJoDo1EGhOpONTU7XuEXVdjf FZVYD+4bYmPpwbu7lXyTulG5p4UJu+vE4wC3mGJh4WDNWGnTwBrSnJxc6gsrYPoH hIL1pQtHZ7JMXBUmXnDMElWE98KtqRzjERpaU5yqt4FpBWMCAwEAAaOCARAwggEM MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL2NvbXBhbnkuY29t L29jc3AwHQYDVR0OBBYEFLjQLcAU92uIFYqe+sT4TqW+ytFGMAwGA1UdEwEB/wQC MAAwHwYDVR0jBBgwFoAUwmLj0l9WDjLenL2KYKpiHhYs0eMwYgYDVR0fBFswWTBX oBqgGIYWaHR0cDovL2NvbXBhbnkuY29tL2NybKI5pDcwNTEUMBIGA1UEAwwLVE1Q IFdJRkkgQ0ExEDAOBgNVBAoMB0NvbXBhbnkxCzAJBgNVBAYTAlVTMA4GA1UdDwEB /wQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQ0FAAOCAgEA A0vQxCcKq/xx1ujIvL9rkaSbF5I03mkbQfzBssp8f2RdjtR/KkdVZ1Q6rnGedMMM YKt6ZmICKwhD/rij50SGA3bu8or5KL49sk4lXxX7pGhy2kFkmmCDFgiBlQA8RQx7 SjlbHJU82dHWQaw/w6/7AKJDUeCbxGcZ2G+Y1bgHAwuWl8N2Bp28ftfRNuCmv5zC sjkgHbn7gkm2/tHn/ZORNYeueNB6kucULYTtdZTLITouxq5QM9PkXXcFC9VCmb8U Wz6PIXUuoY/339cTOBqSEveI+ZH/2mmYKGL+evQVj1gCez9pvWQp50BMTbXbMJ53 OxFqHM9+HAhOKGmaCpw7jG7dXe51BVw1gohMgCUFk7zLSzGV4bomeo5hUgM+CbcQ WioGgSpWuOOG+4X7K2KeF+lFF8nuxRglNTDto+hrhfc1Vk3201JcVZOjTBhSHu1l UPY2O99JVuYVUs9LEZVxyOr9U9c6TVvlmaUiXKbizD6ubxneylSWf8LRIUHCk/j0 1xrKPUWWu+VYiuwDt7RlCg8vdCWgGA9yaVAwgYergHumE19RtbOmpcFYfQ9n4QRA oQBIrTs6+242o78qesnBFCQYTGzxJ9eJfFcp02W8SQV1Ca5Z6TbLhusPDJ9Q0AJR AIQtHUawbXySwLl5BwNSW2dCe1JIMFBTbYupOX+22FM= -----END CERTIFICATE----- ##################################################### CA chain certificate: ##################################################### Bag Attributes friendlyName: TMP ROOT CA subject=/CN=TMP ROOT CA/OU=Digital Certificate Services/O=Company/C=US issuer=/CN=TMP ROOT CA/OU=Digital Certificate Services/O=Company/C=US -----BEGIN CERTIFICATE----- MIIGVTCCBD2gAwIBAgIIOMKWJUyAUA4wDQYJKoZIhvcNAQENBQAwXDEUMBIGA1UE AwwLVE1QIFJPT1QgQ0ExJTAjBgNVBAsMHERpZ2l0YWwgQ2VydGlmaWNhdGUgU2Vy dmljZXMxEDAOBgNVBAoMB0NvbXBhbnkxCzAJBgNVBAYTAlVTMB4XDTEyMDQyNjEz MzkwM1oXDTMyMDQyNjEzMzkwM1owXDEUMBIGA1UEAwwLVE1QIFJPT1QgQ0ExJTAj BgNVBAsMHERpZ2l0YWwgQ2VydGlmaWNhdGUgU2VydmljZXMxEDAOBgNVBAoMB0Nv bXBhbnkxCzAJBgNVBAYTAlVTMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC AgEAtQJp5jivjoOm4p3zPB9LG/veCBIyZJS9kmReAeYGcwLZaK/V2/BHq5Lj5zan RhbftDMvWSX+U+vxYCd27zNBty0qQDXVnjs01BmS/4hF9bpAUHWYYtHjUi4NpRdE L5tA6A4XA9D7ARMSF7yI+om8W/bKfu6M6rmOBmxex4Jl5COULRpMMTja2cvRXL4Q Vo3jlLT121mbKVl13vH/zTP+/40umBJYG5dz2MyQy6AUntbZvoJs7oW2z+ME19Bv ZpHe+VyTGjQbyPftSGJg22Bn4jx/e+/21avBKT9afl+Y3UjJ+M48KWmJ2kKHviTu 27vqVS6hbQwsRPhYH7kxxnoBqMhll3picX6NKf+tvDJxnR1Hj8QXoM3Oh61Yik0c HGZ84TiLRah6/W6aiWKbqV/5qHv+gxr9F60bV7dm2i28KBMy535zlEZv3MTg1T6G T14wQO5cjsXH9MsPMBgZAt53nEghFk0LPy+Q7lto6Fwaj9DpGtpfSwSPX+z+wUQI xKc3p5qgOWuzevZdbpXfQLmOXeRylgeG2yR3bLnO+1XuxKyNf8lT4hfhQjdahPUX soJSW8ov5vFlDb5IrDag+YsHp9LIlKTUOxtD/GeUDiuhs4XKlGK/IFrr4XZaGn+H oo8ugZOc0WXLSyIs2enlzGktzqZ39Lu7ReklS46DnW1LkssCAwEAAaOCARkwggEV MB0GA1UdDgQWBBRrCK2miYtqqHVXYkSgYdF2zWS/PDAPBgNVHRMBAf8EBTADAQH/ MB8GA1UdIwQYMBaAFGsIraaJi2qodVdiRKBh0XbNZL88MA8GCSsGAQUFBzABBQQC BQAwgYsGA1UdHwSBgzCBgDB+oBqgGIYWaHR0cDovL2NvbXBhbnkuY29tL2NybKJg pF4wXDEUMBIGA1UEAwwLVE1QIFJPT1QgQ0ExJTAjBgNVBAsMHERpZ2l0YWwgQ2Vy dGlmaWNhdGUgU2VydmljZXMxEDAOBgNVBAoMB0NvbXBhbnkxCzAJBgNVBAYTAlVT MA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0B AQ0FAAOCAgEAr0Uybci49+udiuiHgSnLwh8G6EKraoBkcKCyRJQ7lZcjTAFrfSfG LMrpJyiCkriefMfovpHVigiiZ+N4S9vDtzbaZBkqh0UciHqfTUl7Zf5osJQyHAmK djwKN3OCvoWDkncsaX1UhAdzECTmpIthpjkxAgF6cm4USA5C7jhJzNlli81OA7rC KecH5xlR6RnPscWBxTJdrPRG5p73qxijBTKSa6wY5M0Kk9y5ObycFXQcUbx9Kg/D L6V2JR+4gOxJ3e+LU0K7jY9snTl0SBn4Hx9E01EitMHXGk9ma+Drx7WrRPN5kT21 7/3b+SiBKARtM6DhQSsM28NnzyJQoJzs2X6DwZh3Z12CU+ldydxJeHY5qCFEj2UQ Agw/fkWpIafTJuAiOhMY7OygjboY5Ij3cVvf1arrnn4ALOKm6EdS1x0ocGc9ZzMH ynzFLWesB79uUFGAhJhRb4xQH6KlpYVoIghf3XlxeVC2BmoTs6TrAv4HWe0XM+L3 KHqQBAIxEdDY/MkjrEr3QhAozkSwfJ8GpdYOs/KWRFpxpq7XadBZWzKh1fOkuhL3 WrAG0dNVJZpIyPdgOROMxWAFjGFj7fBakVVBsOJ4A+sq1bTzajKyqPwUjCaBPPsr ERe2+b4o5ml4eJHYIrLajmkyZpTKKMr5sXmutkJFJyLT9trwqag3XMM= -----END CERTIFICATE----- Bag Attributes friendlyName: TMP CA subject=/CN=TMP CA/O=Company/C=US issuer=/CN=TMP ROOT CA/OU=Digital Certificate Services/O=Company/C=US -----BEGIN CERTIFICATE----- MIIGTTCCBDWgAwIBAgIIdABUSL8OvaYwDQYJKoZIhvcNAQENBQAwXDEUMBIGA1UE AwwLVE1QIFJPT1QgQ0ExJTAjBgNVBAsMHERpZ2l0YWwgQ2VydGlmaWNhdGUgU2Vy dmljZXMxEDAOBgNVBAoMB0NvbXBhbnkxCzAJBgNVBAYTAlVTMB4XDTEyMDQyNjEz NDEzOFoXDTIyMDQyNjEzNDEzOFowMDEPMA0GA1UEAwwGVE1QIENBMRAwDgYDVQQK DAdDb21wYW55MQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC AgoCggIBAM6NjvOkhE+OUv/7PHEAnglYspJ08kDRsXs51Idyf2wyQxYeLB6LxIGy rTqerXsSuZ4iwEyv6TeFixVtj5AnKWl6SvppWYFOKGHXeuS67n8W1WDoEKgcLIwR 0m8qmQDk5XrBBmi3aWsrA0CHEjfkGSZ4nyspY3fdkmq6AmjC8N+n14M+l9Ec8KK5 DOiWTxikU8W89gva0Ku7juU615lUp8nr4YctZGXvkiDGGHGlkhsElJ3xjL4OTcuJ /mDi4Uelcw7AeoIP7uGfppN1dbKEc28XFTYWsuO935rEXuhQjAK02rcfava15OXw UMWIj0HiwT/AcnUJg4VZ6rgGILQDCQJkrY8yzkkPWeyEJtPHOryrsPr2pve/r6AT OF6KvPr6NFCdRTqNXJ/UpVGoJqt685WDuVPi4HwSztTlg2zvNtwobaJmONTvCdaM 8LJZ9OIwl3DzprnGnfLYGf/Mtp3iXl8hIcqKzomwl3lop2NKyHUCR05lsW98fNmY uf6aiNG06bKqvdmpPYkufm6Pm1rEYgPbNXFhAB3+Mv67Yb1t/nr2FJJ85qPUL4e8 HUn2oC9BO+cZEICeJj0L0srz99KSBuyChs9ZX2laEZkyQPx985ttAlZgVtvD7vIj smCekTzQTLVUHvR6BgrwWpvmAa/ei085Rb+UT76McmBuqE5sW9NxAgMBAAGjggE9 MIIBOTAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9jb21wYW55 LmNvbS9vY3NwMB0GA1UdDgQWBBQnYVVxRGIavKCnicfNonJHXqZcizAPBgNVHRMB Af8EBTADAQH/MB8GA1UdIwQYMBaAFGsIraaJi2qodVdiRKBh0XbNZL88MIGLBgNV HR8EgYMwgYAwfqAaoBiGFmh0dHA6Ly9jb21wYW55LmNvbS9jcmyiYKReMFwxFDAS BgNVBAMMC1RNUCBST09UIENBMSUwIwYDVQQLDBxEaWdpdGFsIENlcnRpZmljYXRl IFNlcnZpY2VzMRAwDgYDVQQKDAdDb21wYW55MQswCQYDVQQGEwJVUzAOBgNVHQ8B Af8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQENBQADggIB AIYeiVM+naEuI+RIy5uG/jKo9meyWiBpuuhlGPTAUSJfVP2QXcRR3qZpVng4Mrls y2y8xWs+brdqmj+lhE52n4eceYVARXBBqgN7j7laJVByUoYfepyUUBSJJgeQCVZn goqSvNnYbpzN637CUfVmDdLEUgqAuwOFEqmI16E7DjxO2e9RKBhltKviglCHrbux dLzm+nlRkSJMsdCNk5tv48M3AqWkTFMQLpZmejMAb2RjXYwwKLVEgN7fbb8HB51X cqRiY8M+rxNfxOQjRIxVFsDKGMsRZCAAXxPHd9/Ubsllml0qux1RNHcJps/0Qje/ hasbIMvqrqxAE9KJGV1X7E/GcOmmbkJ/p0Th1VyKgTF+3G1SQz7SEkuQ5h4Aszo7 d6gGuIOk6SJFaZ/jr/baipx5MkUkt+e8t/KC0xKJQUilxTqsv20vQc7jDaMHBHPc 24FWqEH6EGJapZXR1hJCoS2X7ELrq3nPWurwDTt0cieA8pujr/BW15ApvrcRqX8G qu57qJXkITVUQcJpPavkshzFvsiaZ8EztYVtaWkTE+jmOX6NsHq2bUZHGGpCVS/P 1l6plexTUEOR5k1dbt+5yGO4fksiPlyvryi5cc15hVaZIdGTclAFWOAo6vdkqQb6 DcIXVnzJRTg3qqxO+dfM2sXctY2JdsL5TYYmPAFXob/Z -----END CERTIFICATE----- Bag Attributes friendlyName: TMP WIFI CA subject=/CN=TMP WIFI CA/O=Company/C=US issuer=/CN=TMP CA/O=Company/C=US -----BEGIN CERTIFICATE----- MIIF9zCCA9+gAwIBAgIIBtIzVi0uxEwwDQYJKoZIhvcNAQENBQAwMDEPMA0GA1UE AwwGVE1QIENBMRAwDgYDVQQKDAdDb21wYW55MQswCQYDVQQGEwJVUzAeFw0xMjA0 MjYxMzQzMThaFw0yMjA0MjYxMzQxMzhaMDUxFDASBgNVBAMMC1RNUCBXSUZJIENB MRAwDgYDVQQKDAdDb21wYW55MQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggIBAIneEJ/6UlcbaQCbwEpaUyIwn68tLcmnqL78vFpYk5tj ZsERPI6CAGA6nnaIkmyAf7SShj/JYQvWFrNw3ZRij7qPZ4OB+Pc2yEAnANhHJSkE aXQUOK5rTy6ASx9VhoZuD7Ny8/Kgyo2hWvEnwJsZNplPTUmJ16MechBNlwxaqdL6 uWw+U4t4+HHoeBih/3NtQXailvthtbb9weN3htx4shXem5MDzaO8g/2CNa9J+BXO 7o+OqOs5BEF9T0WMAz+i4wV0F3FAfl+Zto9wsIc5Ay/hIl85lAS6DpBfH2n8LkZE mFA4VGGEmYoPWe4EE5sG8zl4MEU0lEpWrZf5xO0nNixsSlL5DYOTl9vFGLAveYi1 1olm0d1icw+IOI1wOcuAbm/NAeYaR8v9s0i66ND91xLqHmgYMJrAGgRIqE+StV4o 6ofl5kbyJu0yNV0KBoqKE/CUCDTrfKlZ11CmfO2pMlbxgtdU89XSI90h4qSxzv5F owC3DYJ2kiff3LUs9IxEErPDSPkS+tyW8dn6QDeQtEwvFFTX6QTrZoHXPVSlKIwo V9fdqHJmEaNWgOptKK74Kq+BmIkv5SPt9rRDuEdvvuXDV7ov6RpwPt6lPkz4BLjf 0TMNZT7Du6+4gWQnNmGlk0tb/ZDsRCFooTbqEhpF4VLyp8eVNrb13HlqBlQGyd8t AgMBAAGjggEOMIIBCjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6 Ly9jb21wYW55LmNvbS9vY3NwMB0GA1UdDgQWBBTCYuPSX1YOMt6cvYpgqmIeFizR 4zAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFCdhVXFEYhq8oKeJx82ickde plyLMF0GA1UdHwRWMFQwUqAaoBiGFmh0dHA6Ly9jb21wYW55LmNvbS9jcmyiNKQy MDAxDzANBgNVBAMMBlRNUCBDQTEQMA4GA1UECgwHQ29tcGFueTELMAkGA1UEBhMC VVMwDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3 DQEBDQUAA4ICAQC1bVNVt0XjKIK7EhY7ZKwY66jvzZluyH5iDBpe2oTB8br2v8eq 9PSiDSDqEqMjTTFjj2WO4MeTfeY1q3gKQ6pinjwxtZo7wDYJaYe1ZOl7IFKCPVHc WVqZXA6H4QpTRwpxuCapVGcllNVaLHtvI3Dd55Znl7davLfnjGiQ7AUMtSNrKkyu G8yl6noEgyn9f/NiR+MYYnDFNEgulC1U33c0hZQmwQNMCC4MVAMFCrU9Q5PSHf4N H8uZp5wnbdTr+hF2sXYIOwfoIa49/pq9dx7h/Bcopg/uH9SsPYKU1vY0yvWXt0cG OXGViTOHiqXDJmvINEzoOcBdkodCjPCV8fAsiora6QVhFLS7fTiKF71mfqJGUkd9 e7XDtDyLtAsbrvIb4U0PXqIf9YzvhcGeptkI0bPG2xZomQyotUdWIDhTyA4o2DsF nSoVLcF6QYo0gjK1rU/2OFPVWwgtu3Rfvw4FIEERfeqzyE59xoU1NE8uCPIP9BiY cOWdDtxbcf0u57FxVja3TIlYpb9tlbW0+VYk3yxedU3gJMwE7jtGeE4Z9JH5D3kz tGFaW6vF99r/a0rd9t1nyDPmfHf+25RanPpiSkwUG1jnMQdEwXPst88CfqHfiBhx NCgE2OyRR3s//gPqli7b9X9XgVjW5YIffZMHgrmU0cQU1JUOrdpqOa7UFQ== -----END CERTIFICATE----- -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Phil, can you look at the certs I provided? Gabriel -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 04/30/2012 07:29 AM, jinx_20 wrote:
Phil, can you look at the certs I provided?
They look ok to me. There's no obvious reason they shouldn't verify, and quick tests as the CLI all passed. Are you sure these are functionally *identical* to the real ones you're using? I've checked over the FR verify code; it is a pretty standard verify callback, and doesn't have any logic errors. It's a bit of a shame the FR verify callback doesn't explicitly log the subject/issuer/depth values for failures, and just logs the error; I wonder if that is worth fixing (and if it would tell us anything more in this case). But I'm fairly sure FR is doing nothing wrong. Therefore, either your cert chain is mangled in some way OpenSSL doesn't like, OpenSSL is buggy or the client is buggy. Or something else weird is going on. I don't have any suggestions I'm afraid. If you're familiar with the TLS protocol, you could use wireshark to capture and inspect an EAP-TLS conversation. The dissector will reassemble the TLS exchange, and you can check the correct certs are being sent over the wire in the correct order.
I think I found a reason. In the root and sub CA certificates there was *Extended Key Usage* set to "OCSP Signing" what limited using of any user certificate issued by those CAs to "OCSP Signing" purpose. / 4.2.1.12. Extended Key Usage This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates. [RFC 5280]/ After removing EKU OIDs from CA certificate everything works fine. But I sill cannot understand why FR allowed to connect when I had removed Sub2_CA certificate from cert store. Gabriel -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 30/04/12 13:18, jinx_20 wrote:
But I sill cannot understand why FR allowed to connect when I had removed Sub2_CA certificate from cert store.
Just to emphasise, unless I'm mistaken it is OpenSSL that was validating or rejecting the cert. The FreeRADIUS "verify" callback doesn't override the OpenSSL decision except in the expected cases, such as the external "verify" script execution, CN comparisons or similar, and those are done on terminal certs only. So, either OpenSSL was failing to validate it, or OpenSSL was passing bad "depth" data into FreeRADIUS' callback function. Either way, I think the issue here lies inside OpenSSL.
participants (3)
-
Alberto Martínez -
jinx_20 -
Phil Mayers