802.1x auth EAP-TLS problem
Hi folks, I have a problem in my freeradius setup and I'm looking for some hints about that. Scenario: 1) GNU/Linux client w/ WPA supplicant configured to request access through EAP-TLS using a certificate (in order to achieve 802.1x ethernet authentication) 2) 802.1x enabled switch where client is connected 3) user/pass 802.1x authentication works fine (MSCHAPv2 based) 4) freeradius authenticates users on LDAP Freeradius debug log of the issue is here: ------- http://pastie.org/2132916 ------- All certificates should be ok (both on server and client): ------- FP42A certs # openssl verify ca.pem ca.pem: OK FP42A certs # openssl verify server.pem server.pem: OK FP42A certs # openssl verify 02.pem 02.pem: OK ------- Any tips? Thank you! -- mandi, Marco
On Tue, 28 Jun 2011 10:28:45 +0200, Alan DeKok <aland@deployingradius.com> wrote:
Use the correct certificates. I re-generated client certificate and signed it w/ CA one instead of server (default Makefile conf) and worked.
Sorry for the noise. -- mandi, Marco
On 6/28/2011 01:52, Marco Londero wrote:
On Tue, 28 Jun 2011 10:28:45 +0200, Alan DeKok<aland@deployingradius.com> wrote:
Use the correct certificates. I re-generated client certificate and signed it w/ CA one instead of server (default Makefile conf) and worked.
Sorry for the noise.
I always thought it was odd that the default makefile tried to sign the client certificate with the server certificate without the server certificate being signed with CA properties of any sort. I thought it was some advanced chained root thing, but I never got it to work even once, so I wrote my own, but it sucks. I think it may be a bug, and you just reminded me of that. someone who knows what they're actually on about should investigate that and see if it needs fixin' or filin'.
Christ Schlacta wrote:
I always thought it was odd that the default makefile tried to sign the client certificate with the server certificate without the server certificate being signed with CA properties of any sort.
Yes, well...
I thought it was some advanced chained root thing, but I never got it to work even once, so I wrote my own, but it sucks. I think it may be a bug, and you just reminded me of that. someone who knows what they're actually on about should investigate that and see if it needs fixin' or filin'.
It's a bug. The simplest thing to do is to make the client cert signed by the CA cert. This might have been done already, but I don't recall. Patches are welcome. Alan DeKok.
On Wed, 29 Jun 2011 15:03:33 +0200, Alan DeKok <aland@deployingradius.com> wrote:
I thought it was some advanced chained root thing, but I never got it to work even once, so I wrote my own, but it sucks. I think it may be a bug, and you just reminded me of that. someone who knows what they're actually on about should investigate that and see if it needs fixin' or filin'. It's a bug. The simplest thing to do is to make the client cert signed by the CA cert. This might have been done already, but I don't recall.
Patches are welcome. I just checked 2.1.11 and that's fine. In raddb/certs/Makefile:
------- client.crt: client.csr ca.pem ca.key openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf ------- -- mandi, Marco
On 06/28/2011 08:41 AM, Marco Londero wrote:
Hi folks,
I have a problem in my freeradius setup and I'm looking for some hints about that.
Scenario:
1) GNU/Linux client w/ WPA supplicant configured to request access through EAP-TLS using a certificate (in order to achieve 802.1x ethernet authentication) 2) 802.1x enabled switch where client is connected 3) user/pass 802.1x authentication works fine (MSCHAPv2 based) 4) freeradius authenticates users on LDAP
Freeradius debug log of the issue is here:
Debug logs should be a) not trimmed and b) gathered with "radiusd -X | tee log" for best effect. However:
------- http://pastie.org/2132916 -------
All certificates should be ok (both on server and client):
Well, they're not. The debug says: Mon Jun 27 15:42:13 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 0566], Certificate Mon Jun 27 15:42:13 2011 : Error: --> verify error:num=20:unable to get local issuer certificate Mon Jun 27 15:42:13 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca Mon Jun 27 15:42:13 2011 : Error: TLS Alert write:fatal:unknown CA Mon Jun 27 15:42:13 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Mon Jun 27 15:42:13 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Mon Jun 27 15:42:13 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Since you've trimmed the debug I can't see the config for your tls { } module, but you're missing a CA somewhere.
participants (4)
-
Alan DeKok -
Christ Schlacta -
Marco Londero -
Phil Mayers