Hi What am I missing to get EAP working both radius server and clients having ECC (P521) keys ? Running freeradius in the foreground shows me this: (8) eap_tls: (TLS) EAP Peer says that the final record size will be 378 bytes (8) eap_tls: (TLS) EAP Got all data (378 bytes) (8) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (8) eap_tls: (TLS) Handshake state - Server SSLv3 read client hello A (8) eap_tls: (TLS) send TLS 1.3 Handshake, ServerHello (8) eap_tls: (TLS) Handshake state - Server SSLv3 write server hello A (8) eap_tls: (TLS) send TLS 1.3 Handshake, type=8 (8) eap_tls: (TLS) send TLS 1.3 Handshake, CertificateRequest (8) eap_tls: (TLS) Handshake state - Server SSLv3 write certificate request A (8) eap_tls: (TLS) send TLS 1.3 Alert, fatal handshake_failure (8) eap_tls: ERROR: (TLS) Server : Error in SSLv3 write certificate A (8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL (8) eap_tls: ERROR: (TLS) error:1402D0FB:SSL routines:ACCEPT_SW_CERT:unknown pkey type (8) eap_tls: ERROR: (TLS) error:14FFF0A8:SSL routines:(UNKNOWN)SSL_internal:missing rsa certificate (8) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (8) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation "missing rsa certificate" is the bit that jumps out at me. My /etc/raddb/mods-available/eap file looks like the following: eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_password = THIS_HAS_BEEN_REMOVED_TO_PROTECT_THE_INNOCENT private_key_file = /etc/foobar/wifi/cert-out.key certificate_file = /etc/foobar/wifi/cert-out.crt ca_file = /etc/foobar/wifi/ca-chain.pem dh_file = /etc/foobar/wifi/dh.pem ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.3" ecdh_curve = "secp521r1" cache { enable = no store { Tunnel-Private-Group-Id } } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } }
On Sep 19, 2024, at 5:35 AM, n5d9xq3ti233xiyif2vp--- via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
What am I missing to get EAP working both radius server and clients having ECC (P521) keys ?
It should just work.
Running freeradius in the foreground shows me this: (8) eap_tls: (TLS) EAP Peer says that the final record size will be 378 bytes (8) eap_tls: (TLS) EAP Got all data (378 bytes) (8) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (8) eap_tls: (TLS) Handshake state - Server SSLv3 read client hello A (8) eap_tls: (TLS) send TLS 1.3 Handshake, ServerHello (8) eap_tls: (TLS) Handshake state - Server SSLv3 write server hello A (8) eap_tls: (TLS) send TLS 1.3 Handshake, type=8 (8) eap_tls: (TLS) send TLS 1.3 Handshake, CertificateRequest (8) eap_tls: (TLS) Handshake state - Server SSLv3 write certificate request A (8) eap_tls: (TLS) send TLS 1.3 Alert, fatal handshake_failure (8) eap_tls: ERROR: (TLS) Server : Error in SSLv3 write certificate A (8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL (8) eap_tls: ERROR: (TLS) error:1402D0FB:SSL routines:ACCEPT_SW_CERT:unknown pkey type (8) eap_tls: ERROR: (TLS) error:14FFF0A8:SSL routines:(UNKNOWN)SSL_internal:missing rsa certificate
A little bit of google shows this: https://github.com/libressl/portable/issues/1058 It's a bug in libressl or OpenSSL. Alan DeKok.
On Thursday, 19 September 2024 at 13:17, Alan DeKok <aland@deployingradius.com> wrote:
A little bit of google shows this: https://github.com/libressl/portable/issues/1058
It's a bug in libressl or OpenSSL.
Good find, thanks. Its probably libressl in my case since this is an OpenBSD box. I have inadvertently stumbled accross a work-around: 1. Change ecdh_curve to empty string (i.e. "") 2. Change tls_max_version to 1.2 Changing the tls_max_version alone didn't fix it, its appears to be some behind-the-scenes combination of tls_max_version and empty string ecdh_curve that kicks things back into life. I've now got WPA2-Enterprise working. Getting WPA3-Enterprise working appears to be a different story ? From what I can tell on the internet, WPA3-Enterprise is very fussy about what is in the certificates ? e.g. the reference to "WPA3.1 page 12" on this site: https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration
participants (2)
-
Alan DeKok -
n5d9xq3ti233xiyif2vp@pm.me