Radius Server and Radsecproxy Certificate problem
I am trying to setup radsec using freeradius version 3.0.3. I have generated self-signed certificate on my freeradius server using openssl commands . I have generated CA ,client ,server. , and using same certificate for radsecProxy. 1) Running radsec on Access Point using following command: ./radsecproxy -f -c radsecproxy.conf 2) Running Radius sever on Ubuntu Machine using following command : radiusd -fxx -l stdout Now Radius Server and RadSec able to listen on port 2083 , but not able to make successful connection using TLS. Getting following error on Radsec: Jan 4 16:44:34 2015: tlsconnect: TLS: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Jan 4 16:44:36 2015: connecttcphostlist: trying to open TCP connection to 192.168.11.2 port 2083 Jan 4 16:44:36 2015: connecttcphostlist: TCP connection to 192.168.11.2 port 2083 up Jan 4 16:44:36 2015: verify error: num=19:self signed certificate in certificate chain:depth=1: Test Certificate Authority and on Radius Server getting following error: (0) Requiring client certificate (0) Initiate (0) (other): before/accept initialization (0) TLS_accept: before/accept initialization (0) <<< TLS 1.0 Handshake [length 00de], ClientHello (0) TLS_accept: SSLv3 read client hello A (0) >>> TLS 1.0 Handshake [length 003e], ServerHello (0) TLS_accept: SSLv3 write server hello A (0) >>> TLS 1.0 Handshake [length 08dd], Certificate (0) TLS_accept: SSLv3 write certificate A (0) >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (0) TLS_accept: SSLv3 write key exchange A (0) >>> TLS 1.0 Handshake [length 00a9], CertificateRequest (0) TLS_accept: SSLv3 write certificate request A (0) TLS_accept: SSLv3 flush data (0) TLS_accept: Need to read more data: SSLv3 read client certificate A (0) TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (0) <<< TLS 1.0 Alert [length 0002], fatal unknown_ca (0) ERROR: TLS Alert read:fatal:unknown CA (0) ERROR: TLS_accept: Failed in SSLv3 read client certificate A (0) ERROR: SSL says: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. (0) FAILED in TLS handshake receive Closing TLS socket from client port 46788 Client has closed connection ... shutting down socket auth from client (192.168.11.1, 46788) -> (*, 2083, virtual-server=default) Waking up in 0.9 seconds. How to resolve this ? -Regards Ankit
On Jan 4, 2015, at 12:22 PM, Ankit Prajapati <prajapati.ankit85@gmail.com> wrote:
I am trying to setup radsec using freeradius version 3.0.3.
You should upgrade to 3.0.6. It won’t fix this issue, but it’s generally netter.
I have generated self-signed certificate on my freeradius server using openssl commands . I have generated CA ,client ,server. , and using same certificate for radsecProxy
Your certificates are wrong. The debug output shows this.
(0) <<< TLS 1.0 Alert [length 0002], fatal unknown_ca (0) ERROR: TLS Alert read:fatal:unknown CA (0) ERROR: TLS_accept: Failed in SSLv3 read client certificate A
That’s pretty clear. The client certificate being presented by radsecproxy is signed by a CA. FreeRADIUS doesn’t know anything about that CA. You need to use ONE CA certificate. Put that on both systems. Then, use that CA to create a server certificate. Put that on FreeeRADIUS. Then, use that CA to create a client certificate. Put that on radsecproxy. Alan DeKok.
participants (2)
-
Alan DeKok -
Ankit Prajapati