check_cert_cn translation
We've noticed several people have posted their eap.conf for eap-tls troubleshooting, and that both the check_cert_issuer and check_cert_cn are commented out. In these configurations is freeradius just checking for the certificate in the crl list and that the proper CA root is in the CA_file on the freeradius server? What is gained by using check_cert_cn? When we have check_cert_cn enabled it seems that the User-Name is translated differently from different types of devices. When a test user with an iPhone tries to connect he receives errors, but the same certificate on a Microsoft Vista wireless client is successfully authenticated. We've seen this with both freeradius v1.1.7 and v2.1.1. Which file controls the User-Name translation? Fri Oct 24 19:46:58 2008 : Auth: rlm_eap_tls: Certificate CN (Test User (Company 1)) does not match specified value (test.user@company1.com)! Fri Oct 24 19:46:58 2008 : Error: TLS Alert write:fatal:certificate unknown Fri Oct 24 19:46:58 2008 : Error: TLS_accept:error in SSLv3 read client certificate B Fri Oct 24 19:46:58 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Fri Oct 24 19:46:58 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Fri Oct 24 19:46:58 2008 : Auth: Login incorrect: [test.user@company1.com] (from client tstca-wc-c01 port 29 cli 00-23-6C-5B-1C-23) Regards, Kas _________________________________________________________________ Want to read Hotmail messages in Outlook? The Wordsmiths show you how. http://windowslive.com/connect/post/wedowindowslive.spaces.live.com-Blog-cns...
kas mataz wrote:
We've noticed several people have posted their eap.conf for eap-tls troubleshooting, and that both the check_cert_issuer and check_cert_cn are commented out. In these configurations is freeradius just checking for the certificate in the crl list and that the proper CA root is in the CA_file on the freeradius server?
What is gained by using check_cert_cn?
Some sanity checking. It's common across many different RADIUS servers.
When we have check_cert_cn enabled it seems that the User-Name is translated differently from different types of devices. When a test user with an iPhone tries to connect he receives errors, but the same certificate on a Microsoft Vista wireless client is successfully authenticated. We've seen this with both freeradius v1.1.7 and v2.1.1. Which file controls the User-Name translation?
Nothing. It's the client device that is responsible for sending the EAP identity (which gets copied to the User-Name). If the client device does it wrong... the user won't be authenticated. This is actually a significant problem for more than just EAP-TLS. I'm in the process of updating RFC4282. The changes should help guide implementors as to what to do. Alan DeKok.
participants (2)
-
Alan DeKok -
kas mataz