Server certificate confusion
I am having problems with the server certificate. If I create a server certificate without the XP Extensions, using eapol_test I can get a validation success, but Windows clients give an 0x80420101 error. If I redo the certificates with the XP Extensions I see the following in the certificate: X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: Full Name: URI:http://www.example.com/example_ca.crl But eapol_test ends in failure with the following part way through: TLS: Certificate verification failed, error 7 (certificate signature failure) depth 0 for '/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org' CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org' err='certificate signature failure' EAP: Status notification: remote certificate verification (param=certificate signature failure) and "radiusd -X gives: (29) eap_tls: Done initial handshake (29) eap_tls: <<< recv TLS 1.2 [length 0002] (29) eap_tls: ERROR: TLS Alert read:fatal:decrypt error (29) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (29) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read) (29) eap_tls: ERROR: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error (29) eap_tls: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (29) eap_tls: ERROR: System call (I/O) error (-1) (29) eap_tls: ERROR: TLS receive handshake failed during operation (29) eap_tls: ERROR: [eaptls process] = fail (29) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (29) eap: Sending EAP Failure (code 4) ID 5 length 4 Do you know what I'm doing wrong? TIA, Nick
On 17/04/2018 09:57, Marek Zarychta wrote:
W dniu 2018.04.17 o 10:46, Nick Howitt pisze:
Do you know what I'm doing wrong? Hi Nick,
you should have installed CA certificate on the client machine to succeed with authentication.
Regards,
eapol_test runs on the server and references the certificates directly. This is the eapol_test config file: network={ ssid="DoesNotMatterForThisTest" key_mgmt=WPA-EAP eap=TLS identity="test" password="test" ca_cert="/etc/raddb/clearos-certs/ca.pem" client_cert="/etc/raddb/clearos-certs/cert.pem" private_key="/etc/raddb/clearos-certs/key.pem" eapol_flags=3 } The certs are in a non-standard folder but /etc/raddb/mods-available/eap has been adjusted to suit
Replying to my own post. There was a permission problem which I've now fixed, but I still get failure: eapol_test: EAPOL: SUPP_BE entering state RECEIVE Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=6 length=44 Attribute 79 (EAP-Message) length=6 Value: 04060004 Attribute 80 (Message-Authenticator) length=18 Value: 09b3759d82eeeaaaf74cc3e25257cf11 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=6 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: Status notification: completion (param=failure) EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: result=0 EAPOL: EAP key not available EAPOL: EAP Session-Id not available WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE and in "radiusd -X": (6) eap_tls: Creating attributes from certificate OIDs (6) eap_tls: TLS-Client-Cert-Serial := "01" (6) eap_tls: TLS-Client-Cert-Expiration := "280414075944Z" (6) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org" (6) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (6) eap_tls: TLS-Client-Cert-Common-Name := "Example Certificate Authority" (6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose (6) eap_tls: >>> send TLS 1.2 [length 0002] (6) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (6) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed (6) eap_tls: ERROR: System call (I/O) error (-1) (6) eap_tls: ERROR: TLS receive handshake failed during operation (6) eap_tls: ERROR: [eaptls process] = fail (6) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 6 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # authenticate = invalid Regards, Nick On 17/04/2018 09:46, Nick Howitt wrote:
I am having problems with the server certificate. If I create a server certificate without the XP Extensions, using eapol_test I can get a validation success, but Windows clients give an 0x80420101 error. If I redo the certificates with the XP Extensions I see the following in the certificate: X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points:
Full Name: URI:http://www.example.com/example_ca.crl
But eapol_test ends in failure with the following part way through:
TLS: Certificate verification failed, error 7 (certificate signature failure) depth 0 for '/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org' CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org' err='certificate signature failure' EAP: Status notification: remote certificate verification (param=certificate signature failure)
and "radiusd -X gives:
(29) eap_tls: Done initial handshake (29) eap_tls: <<< recv TLS 1.2 [length 0002] (29) eap_tls: ERROR: TLS Alert read:fatal:decrypt error (29) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (29) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read) (29) eap_tls: ERROR: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error (29) eap_tls: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (29) eap_tls: ERROR: System call (I/O) error (-1) (29) eap_tls: ERROR: TLS receive handshake failed during operation (29) eap_tls: ERROR: [eaptls process] = fail (29) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (29) eap: Sending EAP Failure (code 4) ID 5 length 4
Do you know what I'm doing wrong?
TIA, Nick
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick@howitts.co.uk> wrote:
Replying to my own post.
There was a permission problem which I've now fixed, but I still get failure: eapol_test:
(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose
That means that the certificate hierarchy is wrong. i.e. cert A has created cert B, but cert A doesn't have OIDs which say it's allowed to create sub-certificates. Newer versions of OpenSSL check these settings. Older versions of OpenSSL didn't do that. How did you create the certificates? The scripts in the raddb/certs directory should work, so using those would probably help. Alan DeKok.
On 17/04/2018 13:55, Alan DeKok wrote:
On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick@howitts.co.uk> wrote:
Replying to my own post.
There was a permission problem which I've now fixed, but I still get failure: eapol_test:
(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose That means that the certificate hierarchy is wrong. i.e. cert A has created cert B, but cert A doesn't have OIDs which say it's allowed to create sub-certificates.
Newer versions of OpenSSL check these settings. Older versions of OpenSSL didn't do that.
How did you create the certificates? The scripts in the raddb/certs directory should work, so using those would probably help.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the reply. The distro, ClearOS is working in a slightly funny way. The CA is created from (adjusted expanding the variables with the config file): openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days /etc/raddb/certs/ca.cnf | sed 's/.*=//;s/^ *//'` -config /etc/raddb/certs/ca.cnf
It is a little tortuous with how it gets here, but it is using the default ca.cnf file using freeradius-3.0.13-8.el7_4.x86_64. Checking the generated CA, I see: X509v3 Basic Constraints: critical CA:TRUE Nick
On 17/04/2018 14:35, Nick Howitt wrote:
On 17/04/2018 13:55, Alan DeKok wrote:
On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick@howitts.co.uk> wrote:
Replying to my own post.
There was a permission problem which I've now fixed, but I still get failure: eapol_test:
(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose That means that the certificate hierarchy is wrong. i.e. cert A has created cert B, but cert A doesn't have OIDs which say it's allowed to create sub-certificates.
Newer versions of OpenSSL check these settings. Older versions of OpenSSL didn't do that.
How did you create the certificates? The scripts in the raddb/certs directory should work, so using those would probably help.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the reply. The distro, ClearOS is working in a slightly funny way. The CA is created from (adjusted expanding the variables with the config file): openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days /etc/raddb/certs/ca.cnf | sed 's/.*=//;s/^ *//'` -config /etc/raddb/certs/ca.cnf
It is a little tortuous with how it gets here, but it is using the default ca.cnf file using freeradius-3.0.13-8.el7_4.x86_64. Checking the generated CA, I see: X509v3 Basic Constraints: critical CA:TRUE
Nick
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Alan, I've reverted the set up to use the standard Freeradius certs and I've been through the certs README, deleting all certificates and recreating the ca.pem and server certs (btw I think the order in the README is wrong as you need to create the server.csr before the server.pem) and I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose" issue when running eapol_test with the new certs. If I remove the "-extensions xpserver_ext -extfile xpextensions" from the makefile and recreate the server.pem, the eapol_test passes but presumably the certs will be rejected by M$ Windows. Regards, Nick
Hi,
I've reverted the set up to use the standard Freeradius certs and I've been through the certs README, deleting all certificates and recreating the ca.pem and server certs (btw I think the order in the README is wrong as you need to create the server.csr before the server.pem) and I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose" issue when running eapol_test with the new certs.
Can you paste both the CA's and the server's PEM representation into a mail on the list? Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On 18/04/2018 12:23, Stefan Winter wrote:
Hi,
I've reverted the set up to use the standard Freeradius certs and I've been through the certs README, deleting all certificates and recreating the ca.pem and server certs (btw I think the order in the README is wrong as you need to create the server.csr before the server.pem) and I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose" issue when running eapol_test with the new certs. Can you paste both the CA's and the server's PEM representation into a mail on the list?
Stefan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've just recreated them as I had to remove the extension for testing. Note I have increased the validity of both in the cnf files to 3650d; everything else is at default. From "history": 994 cd /etc/raddb/certs 995 rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* 996 make ca.pem 997 server.csr 998 make server.csr 999 make server.pem 1000 openssl x509 -text -noout -in server.pem 1001 history
ca.pem: -----BEGIN CERTIFICATE----- MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4 Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ 0eCj1CL9j4g= -----END CERTIFICATE----- server.pem: Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority -----BEGIN CERTIFICATE----- MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3 CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4 PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813 /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k -----END CERTIFICATE----- Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDXoPxieDQy0CAggA MBQGCCqGSIb3DQMHBAhvyXKp13L/JASCBMiuLfezZw39A9Z9YppLHYfxh9rhBHm/ vgUUzsiybokGnXJOCa/W8noUOTL3xF0rdsZmjo+B/eoOAdMUyYBLAxZYbZOutlBH XFZhVxWdkT2H0+SWn2opT7sRIxWfjsSfZQDHYJ3YLng3kNkDjUaiet+3SVs/30j1 sobLZviGLftWqo5vnlWP6BpzvWruge0qFaSy3BMO5dF0G7J6ZHs1vnxseT9NUvHo p+z8di3P3fpv8cBnA4lA/4PPEeKw7A6vcklvilKlFzYoNbwQaoPRxyT7yRODbINs 44Ypd+agDRpxWjZoNKFLlEViCOkt2d6twU5ngi8u2Cy67NhhbuuXbPDUO25sAzAl myRwnEJkc77801fus8PncyAQlD1gyEiFaaMo4xSbJpa8de31Z6FLzpReLetRE+In 7gtXdHvSArkYP6KkveuywBZ3w73tmpQ8hFaP8fpf0/DbqQpMI2AWd1mYvmOMl4oW 6skl/Pw6HOrrpQEnFY22uvyhac6dlOghlbKRpXfM/IXqmkxBiM7oaOcCwk3D14++ 2rfQB7O9fbD/BceSbFgC9Q8yHEWTEh5q6075I27nYjvR3XOxgkMGty/X7nQ/pNLz YDw7zwW+RAQ5u23NNikrwXFBx9T8DjizpcMIR+3HK78XaVyyHBaek5OWXQpm/q3Z 89odhJVRhAE/zc+lW+r3HmT99TY7o2pPPboU/yJJSpNimYiBJdAYgHOS58Cs5WW0 6dKvZl9LLfWJ6xgvxcf6wXsSLQyErkorAwuI2gL8jx5CKAmGKWICmhggzOhNNTEX RUzXMaqjwEH3pvr9/431U5xscuFf6JKveqUVEDDkRAV7IEaCxr1uCBlpTGjx/ltQ 0WRyTos1Zmfxru3qSUm4Xltwl9ZMJs5VInw6wl1hOK4ktIVPuZ2/okkbiF6bsYyt fvCaBZyOn9rBnPcMD7gx8Q5wPqMXipDKhgciN90b5kG3OI26pFz4u7YsTKclXrFC pDn86/t8twBtP2ML4yl9XMfPcoIfWhDFmKZRHhSlfFM9d55PABD1Tg0CPE+/RdSq Ayh0xB/Iw9AVxJFK9LM8IJGCAgm+0Zw8nnIfJ6HJLCno8yIySpR7HfvxZpEAhdUv EUSkuMukkJUR0vNMmuNoJWXWaV4o+yZXIvB7wtwlFBbTjLddZtVZ45IRly8rmP7F V/8gz2QLTRVz9GJM46nPS9U+zTbTPPi/76r/sfrtW6Rwlt2cw0V29JrUNW0GNXig eZS0iS1P69VBOGLXRA95heteDoDcCnspuEQedD8nPdogOFRbBSR8REFFpxuZU7vf m9FdluJ+U5SwZUBu+QEIMZmOBtqxQAa7HThSVjMujUmdejl2irhVoL1V4X9rKbML 8VvOdkuhaNSp8v1PehYM2+P4GdDw8wSgOldpu1FcPXbA7q1ZVhXVOfLlPi/GCxcF jBGKCn7hcsp/55dNo68dLTaqB3KY5d64rn9gjEuBOHpGj2gn6RdrESaGGQnuGI0S 20cSEiAf3JqcBcPektjYNbiTpwsE0StiQQEdrT7Oo/lrZqPmu7yD32W/QKwSr/a6 IXOfcCSdMo9V7Iyti9LV/rfTkmXuUHetAtVQGJqdZjevSz5ct5UeLeGIuDGXDCsk cn4= -----END ENCRYPTED PRIVATE KEY----- It is a temporary cert so I don't mind publishing the key which is in the server.pem. Regards, Nick
Hi, well, I wouldn't have needed the private key, but ok :-) I have an openssl 1.0.2 on my box, which validates this server and CA against the purpose of TLS Server just fine (and as a counter-test, does not validate it as TLS Client): swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslclient server.pem server.pem: C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup:unsupported certificate purpose OK Compiling 1.1.0h, this still works: swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslclient server.pem C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup: unsupported certificate purpose error server.pem: verification failed swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl version OpenSSL 1.1.0h 27 Mar 2018 (but one can see that the failure test in 1.0.x was somewhat graceful ("OK") while 1.1.0 throws an actual error at the end) Which still leaves us at the question why things don't work for you with eapol_test. The first, obvious question: is eapol_test compiled to use openssl at all? Or is it using a different engine? If it's using openssl, what version of openssl is on the system? Is there anything ... peculiar in the wpa_supplicant.conf file regarding server cert validation? You could paste the file here, but without your password. I want it as little as I wanted the PEM key file, you know ;-) Greetings, Stefan Winter Am 18.04.2018 um 13:36 schrieb Nick Howitt:
On 18/04/2018 12:23, Stefan Winter wrote:
Hi,
I've reverted the set up to use the standard Freeradius certs and I've been through the certs README, deleting all certificates and recreating the ca.pem and server certs (btw I think the order in the README is wrong as you need to create the server.csr before the server.pem) and I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose" issue when running eapol_test with the new certs. Can you paste both the CA's and the server's PEM representation into a mail on the list?
Stefan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've just recreated them as I had to remove the extension for testing. Note I have increased the validity of both in the cnf files to 3650d; everything else is at default. From "history": 994 cd /etc/raddb/certs 995 rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* 996 make ca.pem 997 server.csr 998 make server.csr 999 make server.pem 1000 openssl x509 -text -noout -in server.pem 1001 history
ca.pem: -----BEGIN CERTIFICATE----- MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4 Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ 0eCj1CL9j4g= -----END CERTIFICATE-----
server.pem: Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority -----BEGIN CERTIFICATE----- MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3 CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4 PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813 /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k -----END CERTIFICATE----- Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDXoPxieDQy0CAggA MBQGCCqGSIb3DQMHBAhvyXKp13L/JASCBMiuLfezZw39A9Z9YppLHYfxh9rhBHm/ vgUUzsiybokGnXJOCa/W8noUOTL3xF0rdsZmjo+B/eoOAdMUyYBLAxZYbZOutlBH XFZhVxWdkT2H0+SWn2opT7sRIxWfjsSfZQDHYJ3YLng3kNkDjUaiet+3SVs/30j1 sobLZviGLftWqo5vnlWP6BpzvWruge0qFaSy3BMO5dF0G7J6ZHs1vnxseT9NUvHo p+z8di3P3fpv8cBnA4lA/4PPEeKw7A6vcklvilKlFzYoNbwQaoPRxyT7yRODbINs 44Ypd+agDRpxWjZoNKFLlEViCOkt2d6twU5ngi8u2Cy67NhhbuuXbPDUO25sAzAl myRwnEJkc77801fus8PncyAQlD1gyEiFaaMo4xSbJpa8de31Z6FLzpReLetRE+In 7gtXdHvSArkYP6KkveuywBZ3w73tmpQ8hFaP8fpf0/DbqQpMI2AWd1mYvmOMl4oW 6skl/Pw6HOrrpQEnFY22uvyhac6dlOghlbKRpXfM/IXqmkxBiM7oaOcCwk3D14++ 2rfQB7O9fbD/BceSbFgC9Q8yHEWTEh5q6075I27nYjvR3XOxgkMGty/X7nQ/pNLz YDw7zwW+RAQ5u23NNikrwXFBx9T8DjizpcMIR+3HK78XaVyyHBaek5OWXQpm/q3Z 89odhJVRhAE/zc+lW+r3HmT99TY7o2pPPboU/yJJSpNimYiBJdAYgHOS58Cs5WW0 6dKvZl9LLfWJ6xgvxcf6wXsSLQyErkorAwuI2gL8jx5CKAmGKWICmhggzOhNNTEX RUzXMaqjwEH3pvr9/431U5xscuFf6JKveqUVEDDkRAV7IEaCxr1uCBlpTGjx/ltQ 0WRyTos1Zmfxru3qSUm4Xltwl9ZMJs5VInw6wl1hOK4ktIVPuZ2/okkbiF6bsYyt fvCaBZyOn9rBnPcMD7gx8Q5wPqMXipDKhgciN90b5kG3OI26pFz4u7YsTKclXrFC pDn86/t8twBtP2ML4yl9XMfPcoIfWhDFmKZRHhSlfFM9d55PABD1Tg0CPE+/RdSq Ayh0xB/Iw9AVxJFK9LM8IJGCAgm+0Zw8nnIfJ6HJLCno8yIySpR7HfvxZpEAhdUv EUSkuMukkJUR0vNMmuNoJWXWaV4o+yZXIvB7wtwlFBbTjLddZtVZ45IRly8rmP7F V/8gz2QLTRVz9GJM46nPS9U+zTbTPPi/76r/sfrtW6Rwlt2cw0V29JrUNW0GNXig eZS0iS1P69VBOGLXRA95heteDoDcCnspuEQedD8nPdogOFRbBSR8REFFpxuZU7vf m9FdluJ+U5SwZUBu+QEIMZmOBtqxQAa7HThSVjMujUmdejl2irhVoL1V4X9rKbML 8VvOdkuhaNSp8v1PehYM2+P4GdDw8wSgOldpu1FcPXbA7q1ZVhXVOfLlPi/GCxcF jBGKCn7hcsp/55dNo68dLTaqB3KY5d64rn9gjEuBOHpGj2gn6RdrESaGGQnuGI0S 20cSEiAf3JqcBcPektjYNbiTpwsE0StiQQEdrT7Oo/lrZqPmu7yD32W/QKwSr/a6 IXOfcCSdMo9V7Iyti9LV/rfTkmXuUHetAtVQGJqdZjevSz5ct5UeLeGIuDGXDCsk cn4= -----END ENCRYPTED PRIVATE KEY-----
It is a temporary cert so I don't mind publishing the key which is in the server.pem. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On 18/04/2018 15:03, Stefan Winter wrote:
Hi,
well, I wouldn't have needed the private key, but ok :-)
I have an openssl 1.0.2 on my box, which validates this server and CA against the purpose of TLS Server just fine (and as a counter-test, does not validate it as TLS Client):
swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslclient server.pem server.pem: C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup:unsupported certificate purpose OK
Compiling 1.1.0h, this still works:
swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslclient server.pem C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup: unsupported certificate purpose error server.pem: verification failed swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl version OpenSSL 1.1.0h 27 Mar 2018
(but one can see that the failure test in 1.0.x was somewhat graceful ("OK") while 1.1.0 throws an actual error at the end)
Which still leaves us at the question why things don't work for you with eapol_test.
The first, obvious question: is eapol_test compiled to use openssl at all? Or is it using a different engine?
If it's using openssl, what version of openssl is on the system?
Is there anything ... peculiar in the wpa_supplicant.conf file regarding server cert validation? You could paste the file here, but without your password. I want it as little as I wanted the PEM key file, you know ;-)
Greetings,
Stefan Winter
Am 18.04.2018 um 13:36 schrieb Nick Howitt:
On 18/04/2018 12:23, Stefan Winter wrote:
Hi,
I've reverted the set up to use the standard Freeradius certs and I've been through the certs README, deleting all certificates and recreating the ca.pem and server certs (btw I think the order in the README is wrong as you need to create the server.csr before the server.pem) and I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose" issue when running eapol_test with the new certs. Can you paste both the CA's and the server's PEM representation into a mail on the list?
Stefan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've just recreated them as I had to remove the extension for testing. Note I have increased the validity of both in the cnf files to 3650d; everything else is at default. From "history": 994 cd /etc/raddb/certs 995 rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* 996 make ca.pem 997 server.csr 998 make server.csr 999 make server.pem 1000 openssl x509 -text -noout -in server.pem 1001 history
ca.pem: -----BEGIN CERTIFICATE----- MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4 Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ 0eCj1CL9j4g= -----END CERTIFICATE-----
server.pem: Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority -----BEGIN CERTIFICATE----- MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3 CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4 PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813 /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k -----END CERTIFICATE-----
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [root@7 certs]# rpm -q openssl openssl-1.0.2k-8.el7.x86_64
I don't have wpa_supplicant installed on the system so no wpa_supplicant.conf. In order to get eapol_test I pulled down the latest 2.6 sources and ran make following the instructions at http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/. I was under the impression that eapol_test was not compiled in the distro, but I've just been checking and I think I have been incorrectly informed. I'll install wpa_supplicant and test again. FWIW it is not eapol_test which is giving the certificate error but "radiusd -X". BTW you only got the key because it is in the pem file so I was not sure if you wanted the whole file or just the certificate part Nick
On 18/04/2018 15:39, Nick Howitt wrote:
On 18/04/2018 15:03, Stefan Winter wrote:
Hi,
well, I wouldn't have needed the private key, but ok :-)
I have an openssl 1.0.2 on my box, which validates this server and CA against the purpose of TLS Server just fine (and as a counter-test, does not validate it as TLS Client):
swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslclient server.pem server.pem: C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup:unsupported certificate purpose OK
Compiling 1.1.0h, this still works:
swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslclient server.pem C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup: unsupported certificate purpose error server.pem: verification failed swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl version OpenSSL 1.1.0h 27 Mar 2018
(but one can see that the failure test in 1.0.x was somewhat graceful ("OK") while 1.1.0 throws an actual error at the end)
Which still leaves us at the question why things don't work for you with eapol_test.
The first, obvious question: is eapol_test compiled to use openssl at all? Or is it using a different engine?
If it's using openssl, what version of openssl is on the system?
Is there anything ... peculiar in the wpa_supplicant.conf file regarding server cert validation? You could paste the file here, but without your password. I want it as little as I wanted the PEM key file, you know ;-)
Greetings,
Stefan Winter
Am 18.04.2018 um 13:36 schrieb Nick Howitt:
On 18/04/2018 12:23, Stefan Winter wrote:
Hi,
I've reverted the set up to use the standard Freeradius certs and I've been through the certs README, deleting all certificates and recreating the ca.pem and server certs (btw I think the order in the README is wrong as you need to create the server.csr before the server.pem) and I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose" issue when running eapol_test with the new certs. Can you paste both the CA's and the server's PEM representation into a mail on the list?
Stefan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've just recreated them as I had to remove the extension for testing. Note I have increased the validity of both in the cnf files to 3650d; everything else is at default. From "history": 994 cd /etc/raddb/certs 995 rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* 996 make ca.pem 997 server.csr 998 make server.csr 999 make server.pem 1000 openssl x509 -text -noout -in server.pem 1001 history
ca.pem: -----BEGIN CERTIFICATE----- MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4 Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ 0eCj1CL9j4g= -----END CERTIFICATE-----
server.pem: Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority -----BEGIN CERTIFICATE----- MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3 CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4 PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813 /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k -----END CERTIFICATE-----
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [root@7 certs]# rpm -q openssl openssl-1.0.2k-8.el7.x86_64
I don't have wpa_supplicant installed on the system so no wpa_supplicant.conf. In order to get eapol_test I pulled down the latest 2.6 sources and ran make following the instructions at http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/. I was under the impression that eapol_test was not compiled in the distro, but I've just been checking and I think I have been incorrectly informed. I'll install wpa_supplicant and test again.
FWIW it is not eapol_test which is giving the certificate error but "radiusd -X".
BTW you only got the key because it is in the pem file so I was not sure if you wanted the whole file or just the certificate part
Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"radiusd -X" still errors with the Centos wpa_supplicant-2.6-5.el7_4.1.x86_64 installed with a default wpa_supplicant.conf: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel
Hello, On 18.04.18 17:03, Nick Howitt wrote:
[root@7 certs]# rpm -q openssl openssl-1.0.2k-8.el7.x86_64
I don't have wpa_supplicant installed on the system so no wpa_supplicant.conf. In order to get eapol_test I pulled down the latest 2.6 sources and ran make following the instructions at http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/. I was under the impression that eapol_test was not compiled in the distro, but I've just been checking and I think I have been incorrectly informed. I'll install wpa_supplicant and test again.
FWIW it is not eapol_test which is giving the certificate error but "radiusd -X".
BTW you only got the key because it is in the pem file so I was not sure if you wanted the whole file or just the certificate part
Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "radiusd -X" still errors with the Centos wpa_supplicant-2.6-5.el7_4.1.x86_64 installed with a default wpa_supplicant.conf: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel
Now that's something to investigate. AFAIK, FreeRADIUS sends the certificate it has in config to the client. It doesn't check anything special (beyond well-formedness of the PEM file). The error you are seeing in freeradius -X is most likely because FreeRADIUS /receives/ this error message from the /client/. If it were a genuine error inside FreeRADIUS, things wouldn't work for Windows clients. So you should probably take a very close look at eapol_test's debug output. If it is the one rejecting the incoming TLS server cert, then it will print out something. If you're unlucky, it will just print the same error message it is afterwards also sending to the server, but with a bit of luck there is a bit more detail on its side. You aren't by any chance doing this work for an eduroam participant? If so, our compliance check tools could be unleashed on the IdP FreeRADIUS; I'd only need to know the realm then. Also, eapol_test is part of the wpa_supplicant suite (but indeed not compiled by all distros). So your self-compiled version was just as good as the distro-supplied you now have. And the wpa_supplicant.conf is also being considered when using eapol_test. I'm surprised you get an EAP conversation going with a config file that has only two lines? You are relying on plentiful of defaults there. You would usually need to configure at least a username to use for the login attempt? Where do you supply that? Greetings, Stefan Winter Greetings, Stefan Winter
eapol_test never used to be part of the installed wpa_supplicant package but various distros have changed their policy and now provide it (after tickets being submitted from people like myself). Freeradius comes with several config scripts that can be used with eapol_test (in src/test) alan On Thu, 19 Apr 2018, 18:12 Stefan Winter, <stefan.winter@restena.lu> wrote:
Hello,
On 18.04.18 17:03, Nick Howitt wrote:
[root@7 certs]# rpm -q openssl openssl-1.0.2k-8.el7.x86_64
I don't have wpa_supplicant installed on the system so no wpa_supplicant.conf. In order to get eapol_test I pulled down the latest 2.6 sources and ran make following the instructions at http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/ . I was under the impression that eapol_test was not compiled in the distro, but I've just been checking and I think I have been incorrectly informed. I'll install wpa_supplicant and test again.
FWIW it is not eapol_test which is giving the certificate error but "radiusd -X".
BTW you only got the key because it is in the pem file so I was not sure if you wanted the whole file or just the certificate part
Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "radiusd -X" still errors with the Centos wpa_supplicant-2.6-5.el7_4.1.x86_64 installed with a default wpa_supplicant.conf: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel
Now that's something to investigate.
AFAIK, FreeRADIUS sends the certificate it has in config to the client. It doesn't check anything special (beyond well-formedness of the PEM file).
The error you are seeing in freeradius -X is most likely because FreeRADIUS /receives/ this error message from the /client/.
If it were a genuine error inside FreeRADIUS, things wouldn't work for Windows clients.
So you should probably take a very close look at eapol_test's debug output. If it is the one rejecting the incoming TLS server cert, then it will print out something. If you're unlucky, it will just print the same error message it is afterwards also sending to the server, but with a bit of luck there is a bit more detail on its side.
You aren't by any chance doing this work for an eduroam participant? If so, our compliance check tools could be unleashed on the IdP FreeRADIUS; I'd only need to know the realm then.
Also, eapol_test is part of the wpa_supplicant suite (but indeed not compiled by all distros). So your self-compiled version was just as good as the distro-supplied you now have.
And the wpa_supplicant.conf is also being considered when using eapol_test. I'm surprised you get an EAP conversation going with a config file that has only two lines? You are relying on plentiful of defaults there. You would usually need to configure at least a username to use for the login attempt? Where do you supply that?
Greetings,
Stefan Winter
Greetings,
Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 19/04/2018 19:28, Alan Buxey wrote:
> eapol_test never used to be part of the installed wpa_supplicant package
> but various distros have changed their policy and now provide it (after
> tickets being submitted from people like myself).
>
> Freeradius comes with several config scripts that can be used with
> eapol_test (in src/test)
>
> alan
>
> On Thu, 19 Apr 2018, 18:12 Stefan Winter, <stefan.winter@restena.lu> wrote:
>
>> Hello,
>>
>> Now that's something to investigate.
>>
>> AFAIK, FreeRADIUS sends the certificate it has in config to the client.
>> It doesn't check anything special (beyond well-formedness of the PEM file).
>>
>> The error you are seeing in freeradius -X is most likely because
>> FreeRADIUS /receives/ this error message from the /client/.
>>
>> If it were a genuine error inside FreeRADIUS, things wouldn't work for
>> Windows clients.
>>
>> So you should probably take a very close look at eapol_test's debug
>> output. If it is the one rejecting the incoming TLS server cert, then it
>> will print out something. If you're unlucky, it will just print the same
>> error message it is afterwards also sending to the server, but with a
>> bit of luck there is a bit more detail on its side.
>>
>> You aren't by any chance doing this work for an eduroam participant? If
>> so, our compliance check tools could be unleashed on the IdP FreeRADIUS;
>> I'd only need to know the realm then.
>>
>> Also, eapol_test is part of the wpa_supplicant suite (but indeed not
>> compiled by all distros). So your self-compiled version was just as good
>> as the distro-supplied you now have.
>>
>> And the wpa_supplicant.conf is also being considered when using
>> eapol_test. I'm surprised you get an EAP conversation going with a
>> config file that has only two lines? You are relying on plentiful of
>> defaults there. You would usually need to configure at least a username
>> to use for the login attempt? Where do you supply that?
>>
>> Greetings,
>>
>> Stefan Winter
>>
>> Greetings,
>>
>> Stefan Winter
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is all my bad as I try to deconstruct what my distro is doing.
First to answer some of your queries, I am running eapol_test with the
following command:
eapol_test -a10.0.2.15 -p1812 -sSEKRET
-ceapol_test-eaptls-standard.conf -r0
and the conf file contains:
network={
ssid="DoesNotMatterForThisTest"
key_mgmt=WPA-EAP
eap=TLS
identity="test"
password="test"
ca_cert="/etc/raddb/certs/ca.pem"
client_cert="/etc/raddb/certs/test@example.org.pem"
private_key="/etc/raddb/certs/test@example.org.pem"
private_key_passwd="whatever"
eapol_flags=3
}
It is now working correctly. The problem I had was that the distro does
not create a client.pem in its own certificate structure so I was
linking to the server.pem and this worked fine without the certificate
extensions. When I flipped back to the default installation and certs I
was still pointing my client cert to the server.pem file albeit in the
correct folder. Changing it to the correct client.pem and all works. So
a big sorry for wasting your time.
But if you can help me with my other issue I'd really appreciate it. In
a domain environment, the user_name appears as "user/machine.domain" and
for the life of me I cannot find out how to strip the machine.domain
off. Bear in mind the "machine" changes with every client so it could be
laptop1.domain or desktopXYZ.domain. From other posts it seems like I
need to use proxy.conf but I can't work out how. Even if I hardcode a
realm as machine.domain, it does not seem to strip it with:
realm machine.domain {
auth_pool = my_auth_failover
}
I've also seen a reference to a LOCAL realm but I don't understand
what to do with it.
Nick
On 19/04/2018 20:40, Nick Howitt wrote:
>
>
> On 19/04/2018 19:28, Alan Buxey wrote:
>> eapol_test never used to be part of the installed wpa_supplicant package
>> but various distros have changed their policy and now provide it (after
>> tickets being submitted from people like myself).
>>
>> Freeradius comes with several config scripts that can be used with
>> eapol_test (in src/test)
>>
>> alan
>>
>> On Thu, 19 Apr 2018, 18:12 Stefan Winter, <stefan.winter@restena.lu>
>> wrote:
>>
>>> Hello,
>>>
>>> Now that's something to investigate.
>>>
>>> AFAIK, FreeRADIUS sends the certificate it has in config to the client.
>>> It doesn't check anything special (beyond well-formedness of the PEM
>>> file).
>>>
>>> The error you are seeing in freeradius -X is most likely because
>>> FreeRADIUS /receives/ this error message from the /client/.
>>>
>>> If it were a genuine error inside FreeRADIUS, things wouldn't work for
>>> Windows clients.
>>>
>>> So you should probably take a very close look at eapol_test's debug
>>> output. If it is the one rejecting the incoming TLS server cert,
>>> then it
>>> will print out something. If you're unlucky, it will just print the
>>> same
>>> error message it is afterwards also sending to the server, but with a
>>> bit of luck there is a bit more detail on its side.
>>>
>>> You aren't by any chance doing this work for an eduroam participant? If
>>> so, our compliance check tools could be unleashed on the IdP
>>> FreeRADIUS;
>>> I'd only need to know the realm then.
>>>
>>> Also, eapol_test is part of the wpa_supplicant suite (but indeed not
>>> compiled by all distros). So your self-compiled version was just as
>>> good
>>> as the distro-supplied you now have.
>>>
>>> And the wpa_supplicant.conf is also being considered when using
>>> eapol_test. I'm surprised you get an EAP conversation going with a
>>> config file that has only two lines? You are relying on plentiful of
>>> defaults there. You would usually need to configure at least a username
>>> to use for the login attempt? Where do you supply that?
>>>
>>> Greetings,
>>>
>>> Stefan Winter
>>>
>>> Greetings,
>>>
>>> Stefan Winter
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> This is all my bad as I try to deconstruct what my distro is doing.
> First to answer some of your queries, I am running eapol_test with the
> following command:
>
> eapol_test -a10.0.2.15 -p1812 -sSEKRET
> -ceapol_test-eaptls-standard.conf -r0
>
> and the conf file contains:
>
> network={
> ssid="DoesNotMatterForThisTest"
> key_mgmt=WPA-EAP
> eap=TLS
> identity="test"
> password="test"
> ca_cert="/etc/raddb/certs/ca.pem"
> client_cert="/etc/raddb/certs/test@example.org.pem"
> private_key="/etc/raddb/certs/test@example.org.pem"
> private_key_passwd="whatever"
> eapol_flags=3
> }
>
> It is now working correctly. The problem I had was that the distro
> does not create a client.pem in its own certificate structure so I was
> linking to the server.pem and this worked fine without the certificate
> extensions. When I flipped back to the default installation and certs
> I was still pointing my client cert to the server.pem file albeit in
> the correct folder. Changing it to the correct client.pem and all
> works. So a big sorry for wasting your time.
>
> But if you can help me with my other issue I'd really appreciate it.
> In a domain environment, the user_name appears as
> "user/machine.domain" and for the life of me I cannot find out how to
> strip the machine.domain off. Bear in mind the "machine" changes with
> every client so it could be laptop1.domain or desktopXYZ.domain. From
> other posts it seems like I need to use proxy.conf but I can't work
> out how. Even if I hardcode a realm as machine.domain, it does not
> seem to strip it with:
>
> realm machine.domain {
> auth_pool = my_auth_failover
> }
>
> I've also seen a reference to a LOCAL realm but I don't understand
> what to do with it.
>
> Nick
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Oh and I know nothing about eduroam. I am interested in the ClearOS
distro where the installation script is not doing as expected (so I am
debugging it) and we can achieve a simple login but not a domain login.
participants (5)
-
Alan Buxey -
Alan DeKok -
Marek Zarychta -
Nick Howitt -
Stefan Winter