EAP-TLS with server and client certificates by different CA
Good day We use FreeRADIUS 2.1.10 to authorize wi-fi clients. Step 1: many client's devices check server certificate, than we have Comodo EssentialSSL certificate for server. Its certificate chain: - radius_eltex_nsk_ru.crt - http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt - http://crt.comodoca.com/COMODORSAAddTrustCA.crt - AddTrust External CA Root EAP-PEAP-mschapv2 works good with this certificate. Step 2: we want to authorize clients with EAP-TLS We create self-signed CA (/etc/ssl/eltex/eltex-ca.crt) and any clients certs (maria.crt, for example). eap.conf has this parameters eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { #challenge = "Password: " auth_type = PAP } tls { certdir = ${confdir}/certs cadir = /etc/ssl/eltex private_key_password = 123456 private_key_file = ${certdir}/radius.eltex.nsk.ru.key certificate_file = ${certdir}/radius_eltex_nsk_ru.crt CA_file = ${cadir}/eltex-ca.crt \ ${certdir}/COMODORSADomainValidationSecureServerCA.crt \ ${certdir}/COMODORSAAddTrustCA.crt \ ${certdir}/AddTrustExternalCARoot.crt dh_file = ${certdir}/dh random_file = /dev/urandom # fragment_size = 1024 # include_length = yes # check_crl = yes CA_path = ${certdir} # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { tmpdir = /tmp/radiusd client = "/usr/bin/openssl verify -CApath ${..cadir} %{TLS-Client-Cert-Filename}" } } 'cadir' contains eltex-ca.crt, eltex-ca.key only And now we can't authorize with EAP-TLS Client's device sends 'alert unknown ca' (what CA - server or client I can't understand) It was OK, when server ant client certificate were both signed by eltex-ca. I get this error at /var/log/syslog wpa_supplicant[926]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/OU=Domain Control Validated/OU=EssentialSSL/CN=radius.eltex.nsk.ru' wpa_supplicant[926]: OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I try to install all my server certs to system # sudo update-ca-certificates 4 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... updating keystore /etc/ssl/certs/java/cacerts... added: /etc/ssl/certs/AddTrustExternalCARoot.pem added: /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.pem added: /etc/ssl/certs/radius_eltex_nsk_ru.pem added: /etc/ssl/certs/COMODORSAAddTrustCA.pem done. done. But it still not authorized with the same error Can we use server and client certificates signed by different CA at one server?
Hi,
CA_file = ${cadir}/eltex-ca.crt \ ${certdir}/COMODORSADomainValidationSecureServerCA.crt \ ${certdir}/COMODORSAAddTrustCA.crt \ ${certdir}/AddTrustExternalCARoot.crt
errr? no. CA_File is just a file. put one entry there. perhaps you can use a file with all of these concatenated but the usual way is 1) have all your certs in the certdir 2) for the certificate_file entry, eg PEAP, have the server cert, its intermediates and the root in there 3) for CA_File, used for EAP-TLS, put your private CA in there finally, think about not using a public root for your PEAP anyway alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Mikhail Gaidamaka