Microsoft: Certificate Authentication
I'm a newbie, and I'm trying to configure a simple EAP-TLS autententication by using client certificates. I have follow different procedures that I have found on the web to do that, but no successful currently http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline http://www.linuxjournal.com/node/8151/print1 I have 2 questions: - 1st... How I should read the output log? I see something like different attempts by using different methods, but I don't know if they are correlated between them. - 2nd... What is wrong in my configuration? I can not distinguish, at the moment, which is the entry at logs that I should focus. This is the full output log of my attempt. -------------------------------------------------- rad_recv: Access-Request packet from host 160.103.180.252 port 32769, id=243, length=164 User-Name = "user" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x020200090175736572 Message-Authenticator = 0xfba02c8ac6cde8bd5e9cc9c8802e9b93 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 243 to 160.103.180.252 port 32769 EAP-Message = 0x01030016041079a3e325aa029e8ab2ff01846230544a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4846a7ba4845a389971edb0de589acf4 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 160.103.180.252 port 32769, id=244, length=179 User-Name = "user" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x02030006030d State = 0x4846a7ba4845a389971edb0de589acf4 Message-Authenticator = 0x37a434abc65138138fd4796c6e762cc2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 244 to 160.103.180.252 port 32769 EAP-Message = 0x010400060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4846a7ba4942aa89971edb0de589acf4 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 160.103.180.252 port 32769, id=245, length=288 User-Name = "user" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x020400730d800000006916030100640100006003014b1670b85bd6ec60f746bf7a25503e108c5e77945815b72de35f874617cd6a63000018002f00350005000ac009c00ac013c01400320038001300040100001f00000009000700000475736572000a00080006001700180019000b00020100 State = 0x4846a7ba4942aa89971edb0de589acf4 Message-Authenticator = 0x59ee0b77dde94d67dcf75a8acfd955e9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 115 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 105 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0064], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 082d], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 009b], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 245 to 160.103.180.252 port 32769 EAP-Message = 0x010504000dc000000901160301002a0200002603014b1670b8b8cc1d715d848ee2743ba05da48da5fc7a1e2a8a80dba3c240f6d13300002f00160301082d0b0008290008260003933082038f30820277a003020102020105300d06092a864886f70d0101040500308189310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a1304455352463120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d303931323032 EAP-Message = 0x3133323134345a170d3130313230323133323134345a3073310b3009060355040613024652310e300c060355040813054973657265310d300b060355040a130445535246312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e4a3599d55dfed32bb2dd97edb7febd830ce39f41874d0e5f74b02585faf7ff9f45052dd354b8ef114ddb63b67f470f8192ede48e9c3c437f880bd3a5d089f57891e58e73acae452c5949dff5412b4f11e EAP-Message = 0x11c6d4b61a8104ee317e1fd4b1d241f76a6ecb1b26f0a1018bdadc4f176fdfc66dd1f5c4f56f8e48d11662f907db5ad6cceb705ad435fe7a3c3e70486c73430c4c193f6738250000b10de634552ff3f0d54207d4fd9f0192fec213ec4854bc46febdcad27abc72c72e45415d558fc8643a6a49c4b5aef0593cf62edb551cc9b1d53aca3694c3ffbf23659967eddb44828020893ffa2c06c38bbf598efb81c42456936e91e09c701c39b054be846e710203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100b66737e13bf16a7366c344dc8b550ebe9774944d5030c68b708ec435 EAP-Message = 0x5fff762e9d2a02348589178c7783f3678cc10fbc3635f8156166c4e26842e3c9513df9acff0088f53f84042dc05b12732a9f91fe4731e01a7bb115d918144fa642b1395d91cfc5a4249c911875ea199ddc5dc9fc51fa5852c158e9ac39c2b26bf332504c2e63aa147adaa2a9c5e064b5644ce279811c2324836c5bceef65a350a54d72338630fe8e3527680f7b726248efc0046e01b73e7f239ceed69d8745026dba7e2eb4928da67f793e20107051069e8f8490250a4e5e26fff78a0fbee04a323dd70ba6d2a70197c5a1be93f007f9701428dab8f3ddd0335317ad61379282335cdc0b00048d3082048930820371a003020102020900c029cc32e98c EAP-Message = 0x0217300d06092a864886f70d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4846a7ba4a43aa89971edb0de589acf4 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 160.103.180.252 port 32769, id=246, length=179 User-Name = "user" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x020500060d00 State = 0x4846a7ba4a43aa89971edb0de589acf4 Message-Authenticator = 0x5133bbfe13db2695294ac87d88e0dc90 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 246 to 160.103.180.252 port 32769 EAP-Message = 0x010604000dc0000009010101050500308189310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a1304455352463120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313230323133323134345a170d3130313230323133323134345a308189310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246 EAP-Message = 0x3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c42d37329909ff866c2ddd7493ae65d1195619adc00afcf3df4c8487a1149b846ed5f7ca57c07e8de91342bd39871ab92136939454c6510cfdc7f33790c170be30a40c97c7137aa15520cf6d37ef5f6bca12f8a0ad15c8413fda300399fe55b98b03e15b278e9139e288e1c253fee049b2f874a782e7dc018d1da6ef9ac2b836f55803e60d494e9e64c9bef5e531a6d7280a EAP-Message = 0x8035abfcaa54882ec8ba886f0b1f66636dbde3450dd5c2454f82cca89dc164cbd6244e8ce57b99bdd6ce61d600724c945bddbeb1aae178c8435b44f09b11ce77eb11336e9fdba425d0f6f2afa0da1fecb8967a85bcd97d0913a34c345f9808b514885c7ed884c90b9da18f929fef0203010001a381f13081ee301d0603551d0e04160414915d8065ec5af3fb19079647ad4a44563f8936323081be0603551d230481b63081b38014915d8065ec5af3fb19079647ad4a44563f893632a1818fa4818c308189310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b06035504 EAP-Message = 0x0a1304455352463120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900c029cc32e98c0217300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100bd49d4ca86009b4fcb6a7a2b282ec2df2c749d166d356141b4c1b5720ebf955c7eaf1acd37e6b4a6226eaa9b603905b81f9ff8e0a8c6be4de629e77c50b1e6cee78bfe7ea8510c5fc3f4a4251e4f08a49da2c13a2c07dec815df4ed33c7a84801f7b4b9af5af2319269cb95354048763d7eb5f5e8ccb1db6f5a3cbb186ce8f EAP-Message = 0x84e025c2599b56ae3f98b749 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4846a7ba4b40aa89971edb0de589acf4 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 160.103.180.252 port 32769, id=247, length=179 User-Name = "user" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x020600060d00 State = 0x4846a7ba4b40aa89971edb0de589acf4 Message-Authenticator = 0x2ed77d6f8362c5cde55db3be96604946 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 247 to 160.103.180.252 port 32769 EAP-Message = 0x0107011f0d80000009010c98a5d5cb4f8686ffab6198d77af42723db6e94a6d16de1d592da88d99db195084d59eceff6109ddcbfee6b34f5d1770916ce2eb4841a7f326652c0b3e249a1b259bc817dcf4e3a8e0696084952b478fd9dc31b4af2a68d856af8b32c211f13e21305938b4d1125eaf352e4beacfb702c3fcfef57160301009b0d000093020102008e008c308189310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a1304455352463120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355040313 EAP-Message = 0x1d4578616d706c6520436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4846a7ba4c41aa89971edb0de589acf4 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 160.103.180.252 port 32769, id=248, length=1660 User-Name = "user" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x020705c50d80000005bb160301057b0b00036b0003680003653082036130820249a003020102020106300d06092a864886f70d01010405003073310b3009060355040613024652310e300c060355040813054973657265310d300b060355040a130445535246312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313230323133323335385a170d3130313230323133323335385a305c310b3009060355040613024652310e300c060355040813054973657265310d300b060355040a130445535246310d EAP-Message = 0x300b0603550403130475736572311f301d06092a864886f70d010901161075736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a028201010097d42e7efd9d6d3779c7e8332bf95412f7b3f899adbc9a82c23bc1a5b042eb94644e7b0d2687cce6d5614d4b026e69e08d8fe4d3c74c393311e6b9a781306be331b51a31cdd983d7bdf9eb42876f2f399a103bc527457830dc5f19ec094c43aaebef0a0a3a98acacd4eec724c1dc9a412a88f0b2a61a138a715e41c9f38b54ade7bbd45a447afff20d7d670f554495a3ef91a1d8b74ec9e8ced3820d735fe98865ec21660ccc19888cb9ec7c7a2f EAP-Message = 0xa5d93096a267ddf7c02d459ff973a0e5934180dae55573573e11feef218391dc2a63de3153d1fb0455c3639bf54292318164a9227db552c322338c6f62f089791adedc9c12c7abba5d291505e021430b3fb70203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010052828c773deb6f47894b702ebcab180a57224ca1782f9c88c0dfb06f7960c76596b71e4cfc16db61a122160fb297a13135e84f615e886bbfc7f0b543a70f427cd8494b9509b9b1b30ebb45eeaea41f787a7a28d26bea6a25fd4c268e5d6719d21ff6a9742f6df9eb1e05489f68ad1974e2110a6a391cf4d6db EAP-Message = 0x2b2bbcdc4b7a7b199daa3a456d44d1b114c78636ce369a783713e502dc811d6ae6f11bc7bfe2ef08cbdda19bcabdf3d9676f6567e49332a90f1fe37b3b862d1adaf12bc2b97c3082103600bac2722531c3f20cf1fb0b92d5e6bffdfc881907116057822a51c6545efab63513e2a15d27a732ff6cd9c80cf414318fcb9ca6031afedaa8737f238c1000010201007100aa87914b3d5afcf8b203a91ff18361a257a8e68e9e6bf9b236982e7656f6c3da3ed8a18342e40c92156885d1194a93679ee4bf4f42074d51aaef8727711f26c2cb98dc14628eba9a36b23ddd7c43f2a96b826a34667cf0bcbf2be7c85ed29f72ba866ac985e465a81cc77f23e217 EAP-Message = 0xf4ebee899a796d8461d06621a80cf7efd815ca1a6efc57e26791f8eafb7392757d7ae8a5a1817c2f5fc28186102f1d301e15829c064b6812dd4edb73748ad35ee3354018de6c2c0dc73c8c956dcecd40ffc1341bbda72d477654596b9111bd49b4aaeecacc4f99651dc329ee6bf72c02e77d6e8561272aa62d553c7c944add2f7c504bba595f8bec2d90f0a75401b59f0f000102010056e9a7514c9bfa911b4a6d83d7130c0c24879e41a7c0ccde757404bec262a7557ace3546baa5f02898b091fad9088406da74645a09bd172aad189741756d8b1b23ed2c84d889ec28a68ee9fb2b7f47688d588cc35a97e7b2d5709e8a9870d3b2cd029a485b14c6 EAP-Message = 0xf3461ec7f6295ffdd05d5ca94c21d46e0d583f9dc5277ecf6a528be053c527b8fe02a0a84a98aa37d5753bf7291667c49503f0f22b4394dbba0857c80f6a9a023bf56a611a2ff952ef45e8a63ac3153665b66b2324fc85101685b49eb9ec76fb9096cde885df4da1fa2224b40943fb907b068115f2905c3af2cab52008a8d436497189290f3ac638cc4ded6f354248dddca15525478c24be5a14030100010116030100303a6cd161291c5ff4a3e3494d75d28b57382f8af5678c9dcc668c2ad222086bb540169e6c1b135e147be876d29bd03ea2 State = 0x4846a7ba4c41aa89971edb0de589acf4 Message-Authenticator = 0x8126ccaf88a0d4a9c279618a24fbf364 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1467 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 036f], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 248 to 160.103.180.252 port 32769 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 243 with timestamp +7 Cleaning up request 1 ID 244 with timestamp +7 Cleaning up request 2 ID 245 with timestamp +7 Cleaning up request 3 ID 246 with timestamp +7 Cleaning up request 4 ID 247 with timestamp +7 Waking up in 1.0 seconds. Cleaning up request 5 ID 248 with timestamp +7 Ready to process requests. ------------------------------- Thanks a lot in advance for your help. Regards, Fernando.
I'm a newbie, and I'm trying to configure a simple EAP-TLS autententication by using client certificates. I have follow different procedures that I have found on the web to do that, but no successful currently
http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline
- 2nd... What is wrong in my configuration? I can not distinguish, at the moment, which is the entry at logs that I should focus.
[tls] <<< TLS 1.0 Handshake [length 036f], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA
If you had followed the howto guide and done: In the list of trusted root CAs, check only the CA that corresponds to the certificate you have generated error wouldn't happen. You most likely haven't imported you self-signed root CA onto the client. Ivan Kalik
- 2nd... What is wrong in my configuration? I can not distinguish, at the moment, which is the entry at logs that I should focus.
[tls] <<< TLS 1.0 Handshake [length 036f], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA
If you had followed the howto guide and done:
In the list of trusted root CAs, check only the CA that corresponds to the certificate you have generated
error wouldn't happen. You most likely haven't imported you self-signed root CA onto the client.
Ivan Kalik
Yes, I have done it. I have imported my "ca.der" as is showed on the howto guide. As well I have tested with and without checking "validate server certificate" box. (when is selected, only the CA that correspond to my certificate is crossed) In both cases (with and without "validate server certificate" box) I get the same message. Regards, Fernando.
participants (2)
-
Fernando Calvelo Vazquez -
tnt@kalik.net