No luck connecting from a ZyXEL NWA3160-N AP
Hi everybody I am running a freshly compiled FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Oct 31 2012 at 16:56:00 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. authenticating against a MySQL database appeast to work fine using radtest luna:/usr/local/etc/raddb # radtest test 1234 localhost 1812 testing123 Sending Access-Request of id 104 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "1234" NAS-IP-Address = 194.124.158.51 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=104, length=20 I connected a ZyXEL NWA 3160-N (latest Firmware), generated a certificate request, signed it using XCA and reimported it on the AP. I also installed a certificate signed by the same CA in the ..../raddb/certs directory and of course the CA cert to be able to verify the client cert. If I try now to connect to the AP using the same credentials as before, I am getting the following in the output of radiusd -X .... Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/luna.think.ch.key" certificate_file = "/usr/local/etc/raddb/certs/luna.think.ch.pem" CA_file = "/usr/local/etc/raddb/certs/Think_CA.pem" private_key_password = "" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } ..... Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 194.124.158.62 port 59115 EAP-Message = 0x0102001604106133379bfac030f9a2efcf9a2e3e9641 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2c33890c2e3790fae8bf762d1a9802 Finished request 0. Waking up in 4.9 seconds. Going to the next request rad_recv: Access-Request packet from host 194.124.158.62 port 59115, id=8, length=162 User-Name = "test" NAS-Port = 0 Called-Station-Id = "50-67-F0-38-A9-E5:ZyXEL" Vendor-Specific = 0x000000000402 Calling-Station-Id = "74-F0-6D-07-9B-91" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020200060319 State = 0x0c2c33890c2e3790fae8bf762d1a9802 Message-Authenticator = 0x2ad76dbb03af18776e0c10b36df81895 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ...... ...... ...... [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca ..... There appears to be something wrong with the client certificate passed by the AP in the eap conversation. I doublechecked the certificates and googled my fingers raw on this. This is the server cert luna:/usr/local/etc/raddb/certs # openssl x509 -in luna.think.ch.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 29 (0x1d) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=ca@think.ch Validity Not Before: Nov 2 00:00:00 2012 GMT Not After : Sep 14 23:59:59 2014 GMT Subject: C=CH, L=Stallikon, O=THINK, OU=Mail Service, CN=luna.think.ch .... and the client cert luna:/usr/local/etc/raddb/certs # openssl x509 -in 194.124.158.62.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=ca@think.ch Validity Not Before: Nov 1 00:00:00 2012 GMT Not After : Oct 31 23:59:59 2013 GMT Subject: C=CH, L=Stallikon, O=THINK, OU=AP, CN=194.124.158.62 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) ..... and the CA cert luna:/usr/local/etc/raddb/certs # openssl x509 -in Think_CA.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=ca@think.ch Validity Not Before: Sep 16 17:00:07 2004 GMT Not After : Sep 14 17:00:07 2014 GMT Subject: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=ca@think.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) ... If you need the full output of radiusd, let me know. Maybe someone can give me a push in the right direction. Thanks Erich Titl
On 02/11/12 14:56, Erich Titl wrote:
authenticating against a MySQL database appeast to work fine using radtest
This is not really a good test. radtest is sending "pap". Download the "wpa_supplicant" sources and compile "eapol_test".
I connected a ZyXEL NWA 3160-N (latest Firmware), generated a certificate request, signed it using XCA and reimported it on the AP.
Why does the AP need a cert?
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca .....
There appears to be something wrong with the client certificate passed by the AP in the eap conversation. I doublechecked the certificates and googled my fingers raw on this.
No. This is a message *from* the client saying it doesn't trust the *radius server* certificate. You haven't imported your CA on the client properly.
Hi Phil on 02.11.2012 16:10, Phil Mayers wrote:
On 02/11/12 14:56, Erich Titl wrote:
authenticating against a MySQL database appeast to work fine using radtest
This is not really a good test. radtest is sending "pap".
Download the "wpa_supplicant" sources and compile "eapol_test".
I connected a ZyXEL NWA 3160-N (latest Firmware), generated a certificate request, signed it using XCA and reimported it on the AP.
Why does the AP need a cert?
IMHO it does not, but it has one
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca .....
There appears to be something wrong with the client certificate passed by the AP in the eap conversation. I doublechecked the certificates and googled my fingers raw on this.
No. This is a message *from* the client saying it doesn't trust the *radius server* certificate.
Ahhhh... very interesting, so the client rejects the certificate
You haven't imported your CA on the client properly.
Mhhhh.... sounds reasonable, just that the AP does not appear to want to import the CA cert, because it wants a corresponding cert request. Thanks a lot, this appears to be just the push that I needed. Erich
participants (2)
-
Erich Titl -
Phil Mayers