EAP-TLS Certificate problems.
Jason Wittlin-Cohen
jasonwc at brandeis.edu
Sun Oct 8 20:13:06 CEST 2006
> Hi, I'm trying to get Freeradius up and running on a WinXP box (win haters.
> be nice ;) ) I have downloaded, installed, and configured the Freeradius
> version from www.freeradius.net. The server starts seemingly without errors.
> However when I try to connect with my XP laptop I get a certificate error on
> the radius systems log. I have created 3 certificates, Root, Client, Server.
> The Root and Client certificates were installed via the MMC snapin and
> Import wizard in XP. Any idea on what could be causing the errors? If I
> need to post file contents, let me know which ones. Using EAP-TLS(cert
> based) not EAP-TTLS(user-pass based). Xp laptop is stuck at "Attempting to
> Authenticate."
>
Welcome to the Freeradius mailing list, and thank you for providing
debug log to help us sort out this issue. The debug information will
tell you exactly why it's being rejected (i.e. no certificate was sent,
certificate was signed by another CA). I believe I know what's going wrong.
The CA public cert should be stored in the "Trusted Root Certification
Authorities" certificate store. If it's anywhere else, Windows won't
authenticate the server and it will look like it's failing- when it's
doing what you asked it to do. In this scenario you won't see any error
output from Freeradius because Windows has stopped attempting to connect.
Your user public certificate must be stored in either your User or
Machine Account "Personal" Certificate store (this is the first option
in the snap-in). Also, if you have more than one certificate in your
personal store, do not use "simply certificate selection". Windows will
choose the one highest in the list (It did for me). Manually select the
certificate you want to use.
Read this howto and follow the "Configuring Windows XP Clients" guide.
It will tell you exactly what to do. See
http://www.linuxjournal.com/node/8151/print
Here is what's happening currently:
> Error 1 is seen if I have Validate Server Certificate check on the XP
> Laptop.
>
> --Error 1--
> Sat Oct 7 19:35:58 2006 : Error: TLS_accept:error in SSLv3 read client
> certificate A
> ------
>
>
When you enable Server verification, Windows checks to see if the
server's certificate is signed by a trusted Root CA that you specify.
Since you didn't install the CA to the "Trusted Root Certificate
Authorities" certificate store, the Windows supplicant refuses to
continue authenticating and Freeradius has nothing to do. This error
doesn't actually mean anything. I see it when I have a successful login.
You're not seeing an error- which means the problem is on the client
side. This can be remedied by installing your Root CA in the "Trusted
Root Certification Authorities" certificate store.
Here's a successful authenticaiton from my radiusd.log. You'll notice
the read client certificate A error. It can safely be ignored.
Sun Oct 8 03:13:56 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Sun Oct 8 03:13:56 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Sun Oct 8 03:13:56 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Sun Oct 8 03:13:56 2006 : Auth: Login OK: [Jason Wittlin-Cohen] (from
client WLAN port 8 cli 00095b93459e)
> Error 2 is seen if Validate is unchecked on the laptop
>
> --Error 2--
> Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client
> certificate A
> Sat Oct 7 19:34:35 2006 : Error: --> verify error:num=20:unable to get
> local issuer certificate
> Sat Oct 7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA
> Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client
> certificate B
> Sat Oct 7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a system
> call (-1), TLS session fails.
> Sat Oct 7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/<no
> User-Password attribute>] (from client netnas port 11 cli 0014a5104864)
> -----
>
>
Error 2 tells us exactly what the problem is. "Unable to get local
issuer certificate" AND "Unknown CA". In other words, the certificate
used is not the one it should be using as it's signed by another CA.
This can be remedied by either installing the correct certificate in the
"Personal" user certificate store and turning off "simple certificate
selection".
I hope this resolves your problem.
Jason Wittlin-Cohen
More information about the Freeradius-Users
mailing list