EAP-TLS authentication allows me to authenticate with invalid certificate.
Hi, I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS. There's a message in the log that clearly indicates that the CA wasn't found (--> verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds. I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates). I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt. Has anyone seen this before? I couldn't find any related messages in the FreeRADIUS archive. Thanks, Here's the log: rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=39, length=189 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000013014175746f6d6174696f6e55736572 Message-Authenticator = 0xebf0b398f32dc38984552b06634ef90e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 39 to 192.168.19.12 port 1035 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2fcae5dd2fda306cc163ff247674563 Finished request 37. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=40, length=352 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100a40d800000009a16030100950100009103014cb5184f29200ee95888008e509e4cf7d61e39b9688acd0a179f3f12fd982b03000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 State = 0xd2fcae5dd2fda306cc163ff247674563 Message-Authenticator = 0xbaf4c3763aa24c9f8ecb1bc1695bfbe4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 164 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 154 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0095], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 069f], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00af], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 40 to 192.168.19.12 port 1035 EAP-Message = 0x010204000dc000000787160301002a0200002603014cb5183db33a52670f42ebf1dd1d323435c9d1727572176f37deae32bcdf256400002f00160301069f0b00069b0006980002cf308202cb30820234a003020102020101300d06092a864886f70d010105050030819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e7340 EAP-Message = 0x6170706c652e636f6d301e170d3130313031303033313233365a170d3230313030393033313233365a3081a0310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d73514131193017060355040313104175746f6d6174696f6e5365727665723125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d00308189028181009c863c44ddc7f8e2d9153ce65d246a4576e7cad0 EAP-Message = 0x693a37f44cf8e71fbd4010fb0287128c6e4a5eae040a9d806ba510d76026c536a6e44a1341630f76a472f3a324aff010ccf26e168a523e9dac5b131512b6534209c4ddf0059e456767fef96ab15996e3e9e6d8c06aed16032ed09ec81a79e5cf2fcad21d43f93a382ef64afd0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100b3ab384f900eb95db0b5f932639f532d7993d262e5d4f95b0caf2f6778dc3f7ead0361033974828f3a564aa7642760c93c5f3293c69f4f13ed309bee53a0dcee4a07d59994d34a7e51ddef376f87c8ab8614f9e14dd233d1c7f7cb3af4dc571b EAP-Message = 0x2c456a6e2a857a132a9d26d2acc4be820b7c6265a0b541f3f31067a8ce921b7a0003c3308203bf30820328a003020102020900aee0069109e88a1e300d06092a864886f70d010105050030819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d301e170d3130313031303033303831335a170d32 EAP-Message = 0x30313030393033303831335a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2fcae5dd3fea306cc163ff247674563 Finished request 38. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=41, length=194 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060d00 State = 0xd2fcae5dd3fea306cc163ff247674563 Message-Authenticator = 0xa475a2642ff359874a9fc61a5522e311 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 41 to 192.168.19.12 port 1035 EAP-Message = 0x0103039b0d800000078730819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100eba6920d4e7026b5b56be1ffe4a92657531f57f5ec3151a3b08536f2c15ac37e6ca83945576dc7fa534379f00849d14f3ccb630c0cceff EAP-Message = 0x7c032eeedceda81ede4979d9c11aa32b94e13d2c55911c8910d74fe834a062c563b76f66377ba558adf01c29ad786385dcf067324f087f4e62f9bce9f1a15c0238d7068e6bff2436910203010001a382010530820101301d0603551d0e041604143d14bac4f677ed18b87223f0ef167fa28fb245a03081d10603551d230481c93081c680143d14bac4f677ed18b87223f0ef167fa28fb245a0a181a2a4819f30819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d EAP-Message = 0x735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d820900aee0069109e88a1e300c0603551d13040530030101ff300d06092a864886f70d010105050003818100e533646f2f3626e199b1617ea96c40568f8c210f770373587881beb74e8c5b439c6b43e075567d0fba0bcfdcf62e70bdca8240ca0156ea160648f09650898f1e4569aaccd3108a95d94a07f59f60b127626399f132d34825e5100c9986d7754d2a45b743d8b75037f032cb30e071a1128486e433f69a6039f6c06926a88e777716030100af0d0000a70301024000a100 EAP-Message = 0x9f30819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2fcae5dd0ffa306cc163ff247674563 Finished request 39. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=42, length=1274 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020304360d800000042c16030102d60b0002d20002cf0002cc308202c830820231a003020102020102300d06092a864886f70d010105050030819b310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311430120603550403130b526f7474656e4170706c653125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d301e170d3130313031323138333633355a170d3230313031313138333633355a30819e310b3009 EAP-Message = 0x060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311730150603550403130e4175746f6d6174696f6e557365723125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db2c1fc69d20a42a3101c93df6d6db4fab40fb77fdefd5334ba3ccfca3032417aefb71deb9ef75f51182010940a03c618ca1a879af099d1470fc8d8fcfd3d4d9cc3d1672bb7f EAP-Message = 0xed5c015ef660cbdb2f75eae83c658683164773db3ba34782fbba6ead164839b6b555c94fc355d24228545474a2d7a4ae732982ebffdaf3bb20fd0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010105050003818100505a1fcf9aa9fc38d3cc0fb6f6e2edfe0ab50af4aa358726dfd784e69461e3f0c539360a94995cce8bf85bf4f1cc53bd8eda704b135a698e89d157d042d602d1f78c2bbb4a3f2cc2fb9113b9d03f71f731c71cd9360ef4f762403e7c14fcd112401c7217321dbc1d2fb8b2168c0651c2eaade2f1292f4a7c5f8904a2c1844cfd16030100861000008200801ef0cf7c185512 EAP-Message = 0x86b4f42b2374ad3345f22e10c90614b872fa5688df1621c9acadc08593d71659adf9cce1550e199d0e0da86d99e25bab70888873d38f07f42e0c4a344fb5d3fc5788de9cacf4c182fb06fd176afd9a65d9297bea1e73acd3ffa6dfbc70e1014a2c7f6cf8f3d5342d96aaa32a1311b89e455586816c7b57564516030100860f0000820080a9de35c71327f318ebb962597c6f6503e073afe5aa279c1822463224fe189022c50ec10a915947ae451e3d39d798106d9ff5bfe7600ad6ce0da735ba4613898facdb2889ac642ed2efc1ca6e81b79594678e055fba42fddd1d16634b85b641587d349fe39e127080b9f8695a962c8ca0480f7b52cf6cbafa1e EAP-Message = 0x5ff67080001aa11403010001011603010030a11644efce0b94b9179c2e9aa9eb472e0869267e0bf174beae262e5f4e4bd0583db05bd6bf51fba61ba940eca8e658b0 State = 0xd2fcae5dd0ffa306cc163ff247674563 Message-Authenticator = 0x2a124c92c4da145bbd47a068a71f4293 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1068 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 02d6], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0086], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 42 to 192.168.19.12 port 1035 EAP-Message = 0x010400450d800000003b14030100010116030100308aeb9012d08c6b2e742f6f6defcbe397ce58cb4911aeeba0c6c2ac6d4e45b941898218a5e1bf55e35ed26ee1a29b3464 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2fcae5dd1f8a306cc163ff247674563 Finished request 40. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=43, length=194 User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400060d00 State = 0xd2fcae5dd1f8a306cc163ff247674563 Message-Authenticator = 0x34e48ce176b27309dbd3b53091ad3816 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 43 to 192.168.19.12 port 1035 MS-MPPE-Recv-Key = 0x08d815790ebfb9a13cc81f79b0c756c8126e52f63338fd882c458eb019a48533 MS-MPPE-Send-Key = 0x1bc9637fd958191a0127c04a9b84812644caba495fcfc5ec3d3b02edc08fd72e EAP-Message = 0x03040004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "AutomationUser" Finished request 41. Going to the next request Waking up in 4.7 seconds. rad_recv: Accounting-Request packet from host 192.168.19.12 port 1031, id=44, length=169 Acct-Session-Id = "4CB26D4B-0000007B" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "AutomationUser" NAS-IP-Address = 192.168.19.12 NAS-Identifier = "honeybutter" NAS-Port = 0 Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2" Calling-Station-Id = "00-25-00-43-5E-13" NAS-Port-Type = Wireless-802.11 Connect-Info = "11ng" Vendor-26928-Attr-1 = 0x00000000 # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 192.168.19.12,NAS-IP-Address = 192.168.19.12,Acct-Session-Id = "4CB26D4B-0000007B",User-Name = "AutomationUser"' [acct_unique] Acct-Unique-Session-ID = "246d28e49e4f15d2". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.19.12/detail-20101012 [detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.19.12/detail-20101012 [detail] expand: %t -> Tue Oct 12 19:23:57 2010 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> AutomationUser ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> AutomationUser attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 44 to 192.168.19.12 port 1031 Finished request 42. Cleaning up request 42 ID 44 with timestamp +371 Going to the next request Waking up in 4.7 seconds.
Terry Simons wrote:
I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS.
Well... the code which prints the error "verify error:num=20:" is in the "verify certificate callback" function. It's returning FALSE to OpenSSL. OpenSSL *should* return that error back up the call chain to the functions in src/modules/libeap/. They look for error returns from OpenSSL, and stop the conversation if so.
There's a message in the log that clearly indicates that the CA wasn't found (--> verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds.
I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates).
Does it fail authentication with another version of FreeRADIUS? If not, it's an OpenSSL problem.
I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt.
Has anyone seen this before?
Nope. I'm not a crypto person. FreeRADIUS hands the SSL stuff to OpenSSL, which does it's magic to verify the certs. Alan DeKok.
participants (2)
-
Alan DeKok -
Terry Simons