Mac OS X EAP-TLS with wrong usename kills freeradius when check_cert_cn is set
Miika Räisänen
mraisane at gmail.com
Fri Jan 19 11:45:48 CET 2007
On 1/19/07, Alan DeKok <aland at deployingradius.com> wrote:
> Miika Räisänen wrote:
> >
> > We are building freeradius server to authenticate WLAN users with
> > EAP-TLS and EAP-PEAP. EAP-PEAP works great with all tested operating
> > systems, but Mac OS X 802.1X client with EAP-TLS kills freeradius if
> > check_cert_cn is set on and Mac OS X user sends user name which does not
> > match with certificate's common name. Operating system version is 10.4.8
> > and it runs on Macbook.
>
> I've heard something similar before, and I haven't been able to figure
> out why it happens.
>
> > We have tested following freeradius server versions on following platforms
> > Freeradius 1.1.1 / SUN Os 5.8
> > Freeradius 1.1.3 (FC6's rpm) / FC6
> > Freeradius 1.1.4 (build from source)/ FC6
> > Freeradius snapshot 20070118 (build from source) / FC6
> > Freeradius 1.1.4 (build from source) / CentOS 4.4
>
> That says it's common code, at least.
>
> > Any ideas, fixes or workarounds?
>
> If you can get a core dump, that would help a lot. See doc/bugs
>
> Or, if you can run the server under "valgrind" for testing, it should
> print out what's going wrong.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>
Heres coredump gdb logfile
http://cc.oulu.fi/~mraisane/tmp/gdb-radiusd.log
and valgrind logfile
http://cc.oulu.fi/~mraisane/tmp/radiusd.valgrind.7386
from freerad 1.1.4 on CentOS.
More information about the Freeradius-Users
mailing list