CA.all and CA.certs in Freeradius 2.x

Vegard Svanberg vegard at svanberg.no
Wed Oct 8 09:58:19 CEST 2008 

* Vegard Svanberg <vegard at svanberg.no> [2008-10-07 12:16]:

> > Perhaps you should bother reading the mysteriously named file README in
> > /certs directory before asking questions.
> 
> Seems the file got lost during the transition from 1.x. Thanks!

Hm, something is not working right, but I'm not sure where. Created (ca,
server, client) certificates per the instructions in the README file.
Enabled EAP-TLS in eap.conf and verified that paths etc are correct.
Then created the client certificate and imported it on the client. -X
gives me this before it fails:

Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 1497
[tls] Length Included
[tls] eaptls_verify returned 11 
[tls] <<< TLS 1.0 Handshake [length 0393], Certificate  
--> verify error:num=20:unable to get local issuer certificate 
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca  
TLS Alert write:fatal:unknown CA 
    TLS_accept:error in SSLv3 read client certificate B 
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4 
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
        expand: %{User-Name} -> testuser2

Also, openssl can't verify the generated client certificate:

$ openssl verify -CAfile ca.pem client.pem
client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/emailAddress=test at email
error 20 at 0 depth lookup:unable to get local issuer certificate

Oh BTW, there is a small error in the README, on line 132 it reads:

> The users certificate will be in "commonName.pem",
> i.e. "user at example.com.pem".

This is wrong; the Makefile is using emailAddress.

-- 
Vegard Svanberg <vegard at svanberg.no> [*Takapa at IRC (EFnet)]

More information about the Freeradius-Users mailing list