EAP-TLS authentication error

Rafiqul Ahsan rafiqul.ahsan at gmail.com
Sun Dec 17 02:33:23 CET 2006


Hi All,

I am using wpa_supplicant-0.5.5 against freeradius - v1.1.3 . I am getting
following error :

TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:0D07209B:asn1 encoding routines:ASN1_get_object:too
long
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap: SSL error error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad
object header
rlm_eap_tls: BIO_read failed inside of TLS (-1), TLS session fails.
  eaptls_process returned 13
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 23
modcall: leaving group authenticate (returns reject) for request 23
auth: Failed to validate the user.
Login incorrect: [rafi/<no User-Password attribute>] (from client
192.168.1.102 port 19801 cli )
Delaying request 23 for 2 seconds
Finished request 23

Here are my configs :

test.conf (wpa_supplicant config)

linux:/home/admin/wpa_supplicant-0.5.5 # cat test.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
        scan_ssid=0
        key_mgmt=IEEE8021X
        eap=TLS
        identity="rafi"
        eapol_flags=0
        ca_cert="/etc/1x/eap_tls/certs/cacert.pem"
        client_cert="/etc/1x/eap_tls/certs/clientcert.pem"
        private_key="/etc/1x/eap_tls/certs/clientkey.pem"
        private_key_passwd="wimax i2 test certs"
}

eap.conf :


        eap {
                default_eap_type = tls

                timer_expire     = 120
                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                md5 {
                }

                leap {
                }

                gtc {
                        auth_type = PAP
                }

    tls {
      rsa_key_exchange = yes
      dh_key_exchange = no
      rsa_key_length = 1024
      dh_key_length = 1024
      verify_depth = 2
      pem_file_type = yes

            private_key_password = "wimax i2 test certs"

            private_key_file =
/usr/local/etc/raddb/certs/rafi/eap_tls_certs/serverkey.pem
            certificate_file =
/usr/local/etc/raddb/certs/rafi/eap_tls_certs/servercert.pem
            CA_file =
/usr/local/etc/raddb/certs/rafi/eap_tls_certs/cacert.pem
            dh_file = /usr/local/etc/raddb/certs/rafi/dh
            random_file = /usr/local/etc/raddb/certs/rafi/random

      fragment_size = 1024

      include_length = yes

      check_cert_cn = %{User-Name}
    }


}



users :

rafi   Auth-Type := EAP






-- 
Rafiqul Ahsan                630-717-1698(h)
2120 Periwinkle Ln         630-689-1457(h)
Naperville, IL 60540        847-812-6176(c)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061216/e5495e34/attachment.html>


More information about the Freeradius-Users mailing list