Does FreeRADIUS support PEAPv0/EAP-TLS?

Jason Wittlin-Cohen jwittlincohen at gmail.com
Wed Dec 10 23:33:39 CET 2008 

On Tue, Dec 9, 2008 at 5:35 AM, Alan DeKok <aland at deployingradius.com>wrote:

> Jason Wittlin-Cohen wrote:
> > I already do that with the Juniper Access Client. The problem is that
> > the client certificate has the user's name as the Common Name and that
> > is sent in the clear. PEAP/EAP-TLS sends the user's certificate through
> > the tunnel obviating the issue. I admit this isn't a large problem but
> > it would be a nice feature to have.
>
>   FreeRADIUS doesn't support RFC 5216, it's too new.
>
>  It has been tested with PEAPv0/EAP-TLS in the past, but it's not a
> common configuration.  So it might not work now.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Alan,

I installed FreeRADIUS 2.1.3 on my Ubuntu 8.10 server and encountered the
same failure with PEAPv0/EAP-TLS. I think I've discovered the problem.
FreeRADIUS expects the client certificate to be sent before the SSL tunnel
is established. When the client sends a response without a certificate, it
complains that the client did not return a certificate and rejects the user.
I've tested with the Juniper Access Client, Intel ProSet client, and XP's
own supplicant and got the same result each time, so I don't think this is a
client-side problem.

Log:

[peap] <<< TLS 1.0 Handshake [length 0007], Certificate
[peap] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
TLS Alert write:fatal:handshake failure
    TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 55 cli
0013e87d571d)


What's interesting is that if I send a certificate outside the tunnel
(Juniper allows you to send a certificate in addition to any authentication
method - which would in this case, lead to the certificate being sent once
outside the tunnel and again inside), authentication still fails, this time
with the "No EAP session matching the State variable" error.

rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS
tunnel)

eap.conf:

 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        CA_path = "/etc/freeradius/certs/"
        pem_file_type = yes
        private_key_file = "/etc/freeradius/certs/server.key"
        certificate_file = "/etc/freeradius/certs/server.crt"
        CA_file = "/etc/freeradius/certs/ca.crt"
        dh_file = "/etc/freeradius/certs/dh3072.pem"
        random_file = "/dev/urandom"
        fragment_size = 1024
        include_length = yes
        check_crl = yes
        cipher_list = "HIGH"
        check_cert_issuer = "/C=US/O=FreeRadius CA/CN=FreeRadius
CA/emailAddress=jwittlincohen at gmail.com"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "tls"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
   }

Jason Wittlin-Cohen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081210/35f6700e/attachment.html>

More information about the Freeradius-Users mailing list