EAP TLS testing using eapol_test

Naunidh S Chadha naunidh at gmail.com
Wed May 21 16:45:06 CEST 2008

Hi All

I am attempting to authenticate an EAP-TLS using eapol_test tool against
FreeRADIUS Version 2.0.3.
>From last two days I am getting stumped by certificate issues. Currently I
have the following error in my
Freeradius log that seems to be the problem.

Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: Done initial handshake
Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake
[length 038d], Certificate
Wed May 21 19:31:19 2008 : *Error: --> verify error:num=20:unable to get
local issuer certificate*
Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: >>> TLS 1.0 Alert [length
0002], fatal unknown_ca
Wed May 21 19:31:19 2008 : Error: TLS Alert write:fatal:unknown CA
Wed May 21 19:31:19 2008 : Error:     TLS_accept:error in SSLv3 read client
certificate B
Wed May 21 19:31:19 2008 : Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Wed May 21 19:31:19 2008 : Error: rlm_eap_tls: SSL_read failed in a system
call (-1), TLS session fails.
Wed May 21 19:31:19 2008 : Debug:   eaptls_process returned 13

>From searching around the net I found that one issue could be that my SSL
does not understand
that server.pem is a trusted CA. To make that happen I created hashes using
the following command,

*ln -s client.pem `openssl x509 -hash -noout 5~-in client.pem`.0*

for ca.pem/server.pem and client.pem. I then pasted the hashes and .pem
files into /usr/share/ssl/certs
folder too (out of desperation :) ). After this if I ran the command
"openssl verify *.pem" in .../raddb/certs
folder, it would return OK for all pem files. IMO this is the best to test
that all certificates are in order.
I also used the command "openssl verify -CApath . *.pem" (picked it up from
Makefile) and it returned OK too.

I must add here that my setup is totally as per the docs/config file
explanations. The radiusd.conf is configured to
use EAP as per the default config, and the certs are made by running the
make command in raddb/certs folder.
I commented out bootstrap for my exploration. I ran "make client.pem" to
create client certificates.

The supplicant client uses following configuration file:

        identity="user at example.com"
        client_cert="/usr/local/etc/raddb/certs/user at example.com.pem"

Since the logs are big enough to be a torture for people reading in digest
mode, I have put them at

It has output of radiusd -XXX followed by logs of eapol_test tool.

My OpenSSL version is 9.7a (supported by Freeradius), My next step would be
to upgrade this but it does not
look like an OpenSSL issue, Upgrading this would be a pain at the moment as
lot of people are dependent on the
setup, but this is the only recourse left from my side.

Any help would be greatly appreciated.
Sorry for the long mail, but I could not shorten it any more without missing
something important.

Thanks All

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080521/500b2701/attachment.html>

More information about the Freeradius-Users mailing list