disable FreeRadius checking of client certs

devel devel at oberonwireless.com
Tue Oct 10 17:22:27 CEST 2006 

    Well, I have not issued certs to clients. Some of my clients have the 
option to log in with a username "OR" a cert. However, there are a few 
random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) 
that I "MUST" provide a username and a cert.

 If there are no certs on the client machine, Linksys fills the cert in with 
"Trust Any", so I assume it may be attempting with a blank? cert or another 
cert on the machine, such as VeriSign or the like.So this client is 
attempting to authenticate, I believe, with other certs on its machine 
because the radius log looks like below:


    Tue Oct 10 11:16:16 2006 : Error:     TLS_accept:error in SSLv3 read 
client certificate A
    Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error 
error:00000000:lib(0):func(0):reason(0)
    Tue Oct 10 11:16:16 2006 : Error: TLS Alert read:fatal:unknown CA
    Tue Oct 10 11:16:16 2006 : Error:     TLS_accept:failed in SSLv3 read 
client certificate A
    Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:14094418:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
    Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: SSL_read failed inside of 
TLS (-1), TLS session fails.
    Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:140940E5:SSL 
routines:SSL3_READ_BYTES:ssl handshake failure
    Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: BIO_read failed in a 
system call (-1), TLS session fails.

    I am not a FreeRadius expert so I may be misinterpreting the logs. 
Thanks.


Travis
----- Original Message ----- 
From: "Alan DeKok" <aland at deployingradius.com>
To: "devel" <devel at oberonwireless.com>; "FreeRadius users mailing list" 
<freeradius-users at lists.freeradius.org>
Sent: Tuesday, October 10, 2006 10:27 AM
Subject: Re: disable FreeRadius checking of client certs


> "devel" <devel at oberonwireless.com> wrote:
>> Is it possible to disable FreeRadius's checking of client certificates
>> using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance
>> over-head. Thanks.
>
>  Huh?  Client certs are used for PEAP only when you deploy client
> certs to the end-user machines.  Once they're deployed, they should
> really be checked.
>
>  Perhasp you can explain why you've deployed client certs, but now
> don't want to use them.
>
>  Alan DeKok.
> --
>  http://deployingradius.com       - The web site of the book
>  http://deployingradius.com/blog/ - The blog
>
>

More information about the Freeradius-Users mailing list