EAP-TLS Certificate problems.

Brian vb nova5radius at gmail.com
Mon Oct 9 00:26:34 CEST 2006


Ca is in trusted root stores under "Current User", and client is in Personal
under "Current User". One thing I see when viewing the certs is the Root has
"Locker Systems" (using a random name to keep the identity of my company out
of the certs) as the issuer and the client has SSLeay Demoserver.. looks
like OpenSSL didn't make the certs right for some odd reason.. its like it
used its own CA root or something else happened. I will recreate the certs
but I'm quite sure I entered the same data in all certs except commonname
which I made the same as the machine the cert will reside on. Root ca common
name didn't match any machine name. Where should the CA be? Machine or User?

> -----Original Message-----
> From: freeradius-users-bounces+nova5radius=gmail.com at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nova5radius=gmail.com at lists.freeradius.org] On Behalf Of Jason
> Wittlin-Cohen
> Sent: Sunday, October 08, 2006 2:13 PM
> To: freeradius-users at lists.freeradius.org
> Subject: RE: EAP-TLS Certificate problems.
> 
> 
> > Hi, I'm trying to get Freeradius up and running on a WinXP box (win
> haters.
> > be nice ;) ) I have downloaded, installed, and configured the Freeradius
> > version from www.freeradius.net. The server starts seemingly without
> errors.
> > However when I try to connect with my XP laptop I get a certificate
> error on
> > the radius systems log. I have created 3 certificates, Root, Client,
> Server.
> > The Root and Client certificates were installed via the MMC snapin and
> > Import wizard in XP.  Any idea on what could be causing the errors? If I
> > need to post file contents, let me know which ones. Using EAP-TLS(cert
> > based) not EAP-TTLS(user-pass based). Xp laptop is stuck at "Attempting
> to
> > Authenticate."
> >
> Welcome to the Freeradius mailing list, and thank you for providing
> debug log to help us sort out this issue. The debug information will
> tell you exactly why it's being rejected (i.e. no certificate was sent,
> certificate was signed by another CA). I believe I know what's going
> wrong.
> 
> The CA public cert should be stored in the "Trusted Root Certification
> Authorities" certificate store. If it's anywhere else, Windows won't
> authenticate the server and it will look like it's failing- when it's
> doing what you asked it to do. In this scenario you won't see any error
> output from Freeradius because Windows has stopped attempting to connect.
> 
> Your user public certificate must be stored in either your User or
> Machine Account "Personal" Certificate store (this is the first option
> in the snap-in). Also, if you have more than one certificate in your
> personal store, do not use "simply certificate selection". Windows will
> choose the one highest in the list (It did for me). Manually select the
> certificate you want to use.
> 
> Read this howto and follow the "Configuring Windows XP Clients" guide.
> It will tell you exactly what to do. See
> http://www.linuxjournal.com/node/8151/print
> 
> Here is what's happening currently:
> 
> > Error 1 is seen if I have Validate Server Certificate check on the XP
> > Laptop.
> >
> > --Error 1--
> > Sat Oct  7 19:35:58 2006 : Error:     TLS_accept:error in SSLv3 read
> client
> > certificate A
> > ------
> >
> >
> When you enable Server verification, Windows checks to see if the
> server's certificate is signed by a trusted Root CA that you specify.
> Since you didn't install the CA to the "Trusted Root Certificate
> Authorities" certificate store, the Windows supplicant refuses to
> continue authenticating and Freeradius has nothing to do. This error
> doesn't actually mean anything. I see it when I have a successful login.
> You're not seeing an error- which means the problem is on the client
> side. This can be remedied by installing your Root CA in the "Trusted
> Root Certification Authorities" certificate store.
> 
> Here's a successful authenticaiton from my radiusd.log. You'll notice
> the read client certificate A error. It can safely be ignored.
> 
> Sun Oct  8 03:13:56 2006 : Error:     TLS_accept:error in SSLv3 read
> client certificate A
> Sun Oct  8 03:13:56 2006 : Error: rlm_eap: SSL error
> error:00000000:lib(0):func(0):reason(0)
> Sun Oct  8 03:13:56 2006 : Error: rlm_eap: SSL error
> error:00000000:lib(0):func(0):reason(0)
> Sun Oct  8 03:13:56 2006 : Auth: Login OK: [Jason Wittlin-Cohen] (from
> client WLAN port 8 cli 00095b93459e)
> 
> > Error 2 is seen if Validate is unchecked on the laptop
> >
> > --Error 2--
> > Sat Oct  7 19:34:35 2006 : Error:     TLS_accept:error in SSLv3 read
> client
> > certificate A
> > Sat Oct  7 19:34:35 2006 : Error: --> verify error:num=20:unable to get
> > local issuer certificate
> > Sat Oct  7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA
> > Sat Oct  7 19:34:35 2006 : Error:     TLS_accept:error in SSLv3 read
> client
> > certificate B
> > Sat Oct  7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a
> system
> > call (-1), TLS session fails.
> > Sat Oct  7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/<no
> > User-Password attribute>] (from client netnas port 11 cli 0014a5104864)
> > -----
> >
> >
> Error 2 tells us exactly what the problem is. "Unable to get local
> issuer certificate" AND "Unknown CA". In other words, the certificate
> used is not the one it should be using as it's signed by another CA.
> This can be remedied by either installing the correct certificate in the
> "Personal" user certificate store and turning off "simple certificate
> selection".
> 
> I hope this resolves your problem.
> 
> Jason Wittlin-Cohen
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list