Problems with chained certificates and eap/tls

s1008610 at mail.inf.tu-dresden.de s1008610 at mail.inf.tu-dresden.de
Tue Nov 7 16:20:59 CET 2006 

Hello,

i have a problem with chained ca certificats and eap/tls.

my former setup was with simple selfsigned certificates and everything
went perfect,
but now i have to change the setup for the certificates to a third party ca,
they use a root ca and a signing ca signed by the root ca,
 this subca signed the server certificate.

what i've done:
i copied the 2 certificates of the root and signing ca together.
the radius starts up fine, all certificates were loaded.
but no client can connect

the build in windows clients finds no client certificate for the chosen
root ca.

i've tested also the AEGIS Client, with the result,
 that he does the handshake, but never receives the accept.

to point it out, everything run well, till i changed the certificates,
does the radius in any point cannot deal right with this certifiactes?

LOG of the radius with the winxp client

Mon Nov  6 15:02:21 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate A
Mon Nov  6 15:02:21 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Mon Nov  6 15:02:21 2006 : Error: --> verify error:num=20:unable to get
local issuer certificate
Mon Nov  6 15:02:21 2006 : Error: TLS Alert write:fatal:unknown CA
Mon Nov  6 15:02:21 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate B
Mon Nov  6 15:02:21 2006 : Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Nov  6 15:02:21 2006 : Error: rlm_eap_tls: SSL_read failed in a system
call (-1), TLS session fails.

LOG of the radius with the aegis client

Mon Nov  6 15:49:24 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate A
Mon Nov  6 15:49:24 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Mon Nov  6 15:49:27 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate A
Mon Nov  6 15:49:27 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Mon Nov  6 15:49:27 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate A
Mon Nov  6 15:49:27 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Mon Nov  6 15:49:27 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
Mon Nov  6 15:49:27 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
Mon Nov  6 15:49:27 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
Mon Nov  6 15:49:31 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate A
Mon Nov  6 15:49:31 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Mon Nov  6 15:49:31 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
Mon Nov  6 15:49:31 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
Mon Nov  6 15:49:31 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
Mon Nov  6 15:49:34 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
Mon Nov  6 15:49:38 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate A
Mon Nov  6 15:49:38 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Mon Nov  6 15:49:38 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Mon Nov  6 15:50:08 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate A
Mon Nov  6 15:50:08 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Mon Nov  6 15:50:08 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)

debug of the radius with the aegis client

Sending Access-Accept of id 220 to 141.76.5.1 port 20002
        User-Name = "**"
        Session-Timeout = 640
        Trapeze-VLAN-Name = "FRZWLAN"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        MS-MPPE-Recv-Key =
0x24db9d7012cfb4ca813bf63823b126e75415d30a13e9154bf24d916c529a68eb
        MS-MPPE-Send-Key =
0x835531ba6b327ee15cbe969e9d35a1a7ea0d571bc292e254b2f7856641492926
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000

and after this message nothing happends, the client does a new request and
the radius handles the request as a new one

i have no idea where i should continue my search...... :(


ciao

Stephan

More information about the Freeradius-Users mailing list