EAP TLS Server certificate error
Hi Mailing list, i installed freeradius on debian 9 for X802.1 authentication, which should replace an old freeradius server. For the new radius server, i generated a new CA for the client certificates and deployed the certificate on some clients. I also generated a certificate for the freeradius server (with the same CA): mods-enabled/eap: tls-config tls-common { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt dh_file = ${certdir}/dh ca_path = ${cadir} check_cert_cn = %{User-Name} cipher_list = "DEFAULT" .. } When a client tries to authenticate, i get the following radius output: (7) auth_log: --> Mon Mar 23 15:42:14 2020 (7) [auth_log] = ok (7) if (!EAP-Message) { (7) if (!EAP-Message) -> FALSE (7) else { (7) eap: Peer sent EAP Response (code 2) ID 15 length 17 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files_x802_1_cert_auth: users: Matched entry XXXXXX at line 163 (7) [files_x802_1_cert_auth] = ok (7) } # else = updated (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/outer-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x5b409518594a9812 (7) eap: Finished EAP session with state 0xfcae8891ffa18542 (7) eap: Previous EAP request found for state 0xfcae8891ffa18542, released from the list (7) eap: Peer sent packet with method EAP TLS (13) (7) eap: Calling submodule eap_tls to process data (7) eap_tls: Continuing EAP-TLS (7) eap_tls: Peer indicated complete TLS record size will be 7 bytes (7) eap_tls: Got complete TLS record (7 bytes) (7) eap_tls: [eaptls verify] = length included (7) eap_tls: <<< recv TLS 1.2 [length 0002] (7) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done (7) eap_tls: ERROR: System call (I/O) error (-1) (7) eap_tls: ERROR: TLS receive handshake failed during operation (7) eap_tls: ERROR: [eaptls process] = fail (7) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed But, when i replace the ${certdir}/server.key and ${certdir}/server.crt with the server certificate from the old server, x802.1 authentication works (why??) Can someone help me? Thanks!
Hi Thomas, is it possible that the „old“ certificate authority is trused on the Client but the new one is not? Have you installed the new CA on the Client machine? Bye Gesendet von Mail für Windows 10 Von: Thomas Manninger Gesendet: Montag, 23. März 2020 16:45 An: freeradius-users@lists.freeradius.org Betreff: EAP TLS Server certificate error Hi Mailing list, i installed freeradius on debian 9 for X802.1 authentication, which should replace an old freeradius server. For the new radius server, i generated a new CA for the client certificates and deployed the certificate on some clients. I also generated a certificate for the freeradius server (with the same CA): mods-enabled/eap: tls-config tls-common { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt dh_file = ${certdir}/dh ca_path = ${cadir} check_cert_cn = %{User-Name} cipher_list = "DEFAULT" .. } When a client tries to authenticate, i get the following radius output: (7) auth_log: --> Mon Mar 23 15:42:14 2020 (7) [auth_log] = ok (7) if (!EAP-Message) { (7) if (!EAP-Message) -> FALSE (7) else { (7) eap: Peer sent EAP Response (code 2) ID 15 length 17 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files_x802_1_cert_auth: users: Matched entry XXXXXX at line 163 (7) [files_x802_1_cert_auth] = ok (7) } # else = updated (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/outer-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x5b409518594a9812 (7) eap: Finished EAP session with state 0xfcae8891ffa18542 (7) eap: Previous EAP request found for state 0xfcae8891ffa18542, released from the list (7) eap: Peer sent packet with method EAP TLS (13) (7) eap: Calling submodule eap_tls to process data (7) eap_tls: Continuing EAP-TLS (7) eap_tls: Peer indicated complete TLS record size will be 7 bytes (7) eap_tls: Got complete TLS record (7 bytes) (7) eap_tls: [eaptls verify] = length included (7) eap_tls: <<< recv TLS 1.2 [length 0002] (7) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done (7) eap_tls: ERROR: System call (I/O) error (-1) (7) eap_tls: ERROR: TLS receive handshake failed during operation (7) eap_tls: ERROR: [eaptls process] = fail (7) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed But, when i replace the ${certdir}/server.key and ${certdir}/server.crt with the server certificate from the old server, x802.1 authentication works (why??) Can someone help me? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Talkabout -
Thomas Manninger