EAP: client certificates and double authentication messages

Stefan Winter stefan.winter at restena.lu
Tue Oct 24 21:19:43 CEST 2006


Hi again Flo,

remember last TNC in Catania? :-)

>   I am using freeradius successfully, but I still have some questions.
>
> Fistly, how can I disable to verify client certificates?
> Mon Sep  5 12:17:12 2005 : Error:     TLS_accept:error in SSLv3 read
> client certificate A

This is an "error" reported from openssl. Other than looking ugly, it doesn't 
do any harm. And since it's not caused by FreeRADIUS, you can't stop it from 
appearing. It's a case of "never mind". BTW, this question comes up quite 
frequently on the list; digging in the archives would have done the trick.

> Secondly, how comes I always see a successfull authentication twice,
> when using eap:
> Mon Sep  5 12:17:16 2005 : Auth: Login OK: [unrzwlan5] (from client
> localhost port 0)
> Mon Sep  5 12:17:16 2005 : Auth: Login OK: [unrzwlan5] (from client
> airbrush port 0 cli 00-11-09-0B-01-4D)

That's due to the way EAP sessions are handled in FreeRADIUS: there is the 
RADIUS packet coming from the client, and within it is the content of the TLS 
tunnel; this inner content is treated as a new packet coming from localhost 
So, first the TLS tunnel content gets validated, which results in success 
(the first line above), then this inner packet gets "proxied" back to the 
outer packet, which sees a Login OK from the inner, which satisfies itself 
and reports its own success again. Again a case of "never mind".

Greetings,

Stefan

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg





More information about the Freeradius-Users mailing list