EAP: client certificates and double authentication messages
Stefan Winter
stefan.winter at restena.lu
Tue Oct 24 21:19:43 CEST 2006
Hi again Flo,
remember last TNC in Catania? :-)
> I am using freeradius successfully, but I still have some questions.
>
> Fistly, how can I disable to verify client certificates?
> Mon Sep 5 12:17:12 2005 : Error: TLS_accept:error in SSLv3 read
> client certificate A
This is an "error" reported from openssl. Other than looking ugly, it doesn't
do any harm. And since it's not caused by FreeRADIUS, you can't stop it from
appearing. It's a case of "never mind". BTW, this question comes up quite
frequently on the list; digging in the archives would have done the trick.
> Secondly, how comes I always see a successfull authentication twice,
> when using eap:
> Mon Sep 5 12:17:16 2005 : Auth: Login OK: [unrzwlan5] (from client
> localhost port 0)
> Mon Sep 5 12:17:16 2005 : Auth: Login OK: [unrzwlan5] (from client
> airbrush port 0 cli 00-11-09-0B-01-4D)
That's due to the way EAP sessions are handled in FreeRADIUS: there is the
RADIUS packet coming from the client, and within it is the content of the TLS
tunnel; this inner content is treated as a new packet coming from localhost
So, first the TLS tunnel content gets validated, which results in success
(the first line above), then this inner packet gets "proxied" back to the
outer packet, which sees a Login OK from the inner, which satisfies itself
and reports its own success again. Again a case of "never mind".
Greetings,
Stefan
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
More information about the Freeradius-Users
mailing list