Problems using EAP-TLS with freeradius version 2

Alan DeKok aland at
Fri Feb 1 13:27:45 CET 2008

Stefan Puch wrote:
> - running "bootstrap" creates ca.pem, server.pem, dh and random which are used
> with the radius server (server.pem is signed with ca.pem)
> - running make client.pem creates a client certificate which is signed by the
> server certificate (in my opinion that cannot work

  I guess all of the people using that exact scenario are deluding

> - when trying to connect to the radius server the validation fails with
> following output from "radiusd -X" (because the the client cert is not signed
> with ca.pem):

  No.  It's failing because the server hasn't been told that it's server
certificate is a known CA.  SSL is weird that way.

> - Then I changed the Makefile, so that the client cert is signed with the ca.pem
> like the server certificate is (wouldn't be that the correct way?)

  No.  But it *will* work, too.  It may take less effort to get it to work.

> The problem is, that after the "Login OK" nothing futher happens, e.g. the
> clients cannot carry using dhcp. The dhcp-client is started, but the request
> doesn't reach the dhcp-server.

  The "login OK" message is nothing more than a suggestion in the radius
logs.  What is *important* is:

 - was an Access-Accept sent back?  The rest of the debug log that you
deleted should show that
 - was the Access-Accept understood and processed by the NAS?  See the
NAS for details.

  If the server sent an Access-Accept, and the user still doesn't have
network access, then the NAS chose to disconnect the user.  This is
basic RADIUS knowledge.

> So I downgraded again from 2.0.1 to freeradius 1.1.7 and tested everything
> again: The first client certificate, which was signed with der server
> certificate didn't work, the second one worked fine AND the when after "Login
> OK"  the dhcp-client is started, the dhcp-server gets the requests and can answer.

  You're stuck on the wrong pieces of information.  The certificates are

  What is actually happening is that you've configured 2.0.1 and 1.1.7
*differently*.  The contents of the final Access-Accept sent by 2.0.1
are different from the contents sent by 1.1.7.  Since you configured the
contents, you are responsible for making sure that the contents are
identical, and that the NAS accepts them.

  The NAS doesn't look at the certificates.  It doesn't care.  It *does*
care if it isn't told the right information in the Access-Accept.

  I'll bet that if you posted the final Access-Accept from 1.1.7 and
from 2.0.1, that they would be *different*.  If you make them the same,
I'll also bet that the NAS will accept the user.

> The first question I would like to get an answer for is: Which certificate is
> needed to sign the client certificate, the CA certificate or the server certificate?

  Either.  It depends on how you want to do it.

> The second question is: Are there any further suggestions or do I have to make
> an ethereal trace? Perhaps you can send me some test certs that should really
> work, so that I can exclude the certs when debugging/analyzing the rest?

  The certificates are fine.  Don't claim that the certificates don't
work.  Many people have them working in real-world and test environments.

  Stop fighting with the certificates.  You're wasting your time, and
confusing yourself.  Start looking at the contents of the Access-Accept,
which is the only thing that really matters.

  Alan DeKok.

More information about the Freeradius-Users mailing list