EAP-TLS certificate

xia sihua walter.xia at gmail.com
Sat Apr 5 03:57:41 CEST 2008 

Hi,
  I am using 2.0.3 version. When I generate certificate using those
files  ca.cnf, server.cnf, client.cnf xpextensions Makefile which are
in the directory ../raddb/certs/. Then I use "make server.vrfy" verify
the server certificate, is OK.  "make client.vrfy" also ok.
  I use EAP-TLS authentication Method, and I has modified eap.conf
files, and add relative certi file as follows:
....
private_key_password = radius
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
....

  The supplicant I use TeraDot1x Tester from Spirent communication.
...
Configuration:
Supplicant ID: test (defined in client.cnf common name)
User Certificate Filename: client.pem
User Key Filename: client.key
Root Certificate Filename: server.pem
Key password: test  (same defined in client.cnf file)
....

When using above configuration, the radius server will print out
following error
.....
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
    TLS_accept:failed in SSLv3 read client hello B
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
....


If I change Root Certificate Filename from server.pem to ca.pem, will
come out following error.
....
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
    TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
....

If I use those certificates provided by spirent, can pass. I donot know why?
Any ideas?

-- 
Best regards!
walter
***************************************
Nothing is impossible!
***************************************

More information about the Freeradius-Users mailing list