Everything lookslike it works, but PC is not authentified

K. Hoercher wbhoer at gmail.com
Mon Sep 4 13:12:21 CEST 2006


Ok,
so we might conclude, that you're trying eap-tls.

On 9/4/06, Alexandros Gougousoudis <gougousoudis at kh-berlin.de> wrote:
> Hi,
>
> I'am a step ahead. One problem was, that the Root-CA-cert must be put
> manually in the Trusted-Rootcertificate place (I use a german Windows,
> so I try to retranslate that into english) on the Windows-Client. It is
> not enough to import that automatically, although the cert shows up in
> the list of "Trusted Rootcertificates" in the "Authentification" menu of
> the network-settings. If made this running the mmc manually, opening the
> Certificate-dialog.
>
> But it shows, that the problem is deeper. The netbiosname of the windows
> machine is "vinfo-t1", also the cert has this name as a CN. If the PC
> tries to authenticate the username comes as "host/vinfo-t1" to the
> radius server. Which makes the TLS verify fail. How can the name be
> truncated?

I can't even remotely unstand why you seem to look for help on one
hand, but on the other one keep declining answers to questions put to
you and insisting on false assumptions.

> --> subject = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM
> HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
> --> issuer  = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM
> HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
> --> verify return:1
> --> verify error:num=9:certificate is not yet valid
>    rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate
> TLS Alert write:fatal:bad certificate

So this (assuming it's even the right one) rootCA is rejected by the
server for the reason stated.

Would you please explain how you come to the conclusion about the tls
verify failing because of a CN/Username mismatch, when one would
expect to read line like:
radius_xlat:  'host/wbh'
    rlm_eap_tls: checking certificate CN (wbh) with xlat'ed value (host/wbh)
in such a case.

In your setup the server doesn't even reach that point. On a side
note, if in some distant future it does, you might find  check_cert_cn
interesting.

And while it doesn't cause any problem for now, would you please get
rid of the "host/vinfo-t1" and "vinfo-t1" stanzas in your users file
and use the default one, as that is a, at least, misguided setting,
which could be the source of problems further down the road. (For the
time being you don't need anything set there, esp no User-Password, as
we, just now, can guess, you don't want eap-peap)

regards
K. Hoercher



More information about the Freeradius-Users mailing list