EAP/TLS TLS_accept error
EAP/TLS TLS_accept error Hi: I want to build a IEEE 802.1x authentication environoment and I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8, wpa_supplicant-0.4.8. The authentication server is built in redhat9 , the database is mysql5 and client is build in linux. I can use EAP/MD5 authentication type and it runs well. When I config EAP/TLS-MD5 type, the client cann't be authenticated. I have referenced many similar ways to resolve it, but I am failed. I list my configuration files and the debug information below. Who can give me some suggestion, Thank your very much for your help ! A. IN FREERADIUS: 1. Using CA.all to generate certificats: /CA.all Get those new files: cert-clt.der cert-clt.p12 cert-clt.pem cert-srv.p12 cert-srv.pem newcert.pem newreq.pem root.der root.p12 root.pem The default protect password is whaterver 2. Generate Diffie-Hellman key named dh and random key named random openssl dhparam -check -text -5 512 -out dh dd if=/dev/urandom of=random count=2 3. eap.conf default_eap_type = tls tls { private_key_password = whatever private_key_file = /etc/mycerts/cert-srv.pem certificate_file = /etc/mycerts/cert-srv.pem CA_file = /etc/mycerts/root.pem dh_file = /etc/mycerts/dh random_file = /etc/mycerts/random fragment_size = 1024 include_length = yes } 4. radius.conf authorize { preprocess suffix eap files sql } authenticate { eap } 5. users DEFAULT Auth-Type = EAP Fall-Through = 1 6. part of debug information modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0822], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0071], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A 6533:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 6533:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails B. IN HOSTAPD 1. some debug information RADIUS packet matching with station 00:13:d7:20:00:90 IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state FAIL IEEE 802.1X: Sending EAP Packet to 00:13:d7:20:00:90 (identifier 4) IEEE 802.1X: 00:13:d7:20:00:90 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:13:d7:20:00:90 AUTH_PAE entering state HELD br0: STA 00:13:d7:20:00:90 IEEE 802.1X: authentication failed IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state IDLE C. IN WPA_SUPPLICANT 1. wired.conf # IEEE 802.1X with EAP-TLS ctrl_interface=/var/run/wpa_supplicant ap_scan=0 eapol_version=1 network={ ssid="" key_mgmt=IEEE8021X eap=TLS identity="test" ca_cert="/root/root.pem" client_cert="/root/cert-clt.pem" private_key="/root/cert-clt.pem" private_key_passwd="whatever" eapol_flags=0 priority=2 } 2. some debug information SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 9 (certificate is not yet valid) depth 1 SSL: (where=0x4008 ret=0x22a) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad certificate SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error
henry1412 wrote:
I want to build a IEEE 802.1x authentication environoment and I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8, wpa_supplicant-0.4.8. The authentication server is built in redhat9 , the database is mysql5 and client is build in linux. Most of these software versions are very old. You may want to consider using current versions to mitigate your frustrations and minimize errors.
-- John Dennis <jdennis@redhat.com>
participants (3)
-
henry1412 -
John Dennis -
tnt@kalik.net