EAP-TTLS auth

Fernando Calvelo Vazquez fernando.calvelo at esrf.fr
Tue Dec 8 16:57:08 CET 2009 

1.- Sorry for the HTML mail mess.
2.- Now I have signed the client certificate by using the "Makefile" 
v.2.1.8-pre (just to be sure that I generate correctly the certificates).

So, client certificate:
- 
subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailAddress=user at example.com
- 
issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAddress=admin at example.com/CN=radiusserv.esrf.fr

Server certificate:
- 
subject=/C=FR/ST=Isere/O=ESRF/CN=radiusserv.esrf.fr/emailAddress=admin at example.com
- 
issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAddress=admin at example.com/CN=radiusserv.esrf.fr

I have load ca.der under "Trusted Root CA"
Also I have load client.p12 under "Personal Cerificates"
And default configuration is at eap.conf
-  private_key_file = ${certdir}/server.pem
-  certificate_file = ${certdir}/server.pem
-  CA_file = ${cadir}/ca.pem

Still work with "Microsoft: Smart Card or other Certificate" 
authentication method
But not with "Intel: EAP-TTLS" with "PAP user/password", "Server 
Certificate Validation" + "Specify Server or Certificate Name"  (if I 
remove last part... also works fine!!)
Also I not be able to test EAP-TLS auth (not present on windows 
supplicant software)

I have tried both CN as parameter for "Server or Certificate Name" (on 
the "Step 2 of 2" at the EAP-TTLS auth method of windows supplicant 
software)

- Server or Certificate Name == swatzy01.esrf.fr
- Server or Certificate Name == radiusserv.esrf.fr

With same result:

[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
    TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[ttls] eaptls_process returned 4

Should I load server certificate at the "Intermediate Certification 
Authorities" on Windows side?
Any other idea why it work fine with "Microsoft: Smart Card or other 
Certificate" authentication method and it is not consider a valid 
certificate when I employ EAP-TTLS?

Thanks in advance for your help.
Regards,

    Fernando.


tnt at kalik.net wrote:
>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
>> <html>
>> <head>
>>   <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
>> </head>
>> <body bgcolor="#ffffff" text="#000000">
>> Hi again:<br>
>> <br>
>> I have just tried with both CN that I could found at my 'client
>> certificate'<br>
>> <br>
>> <big><tt><small><a class="moz-txt-link-abbreviated"
>>  href="mailto:subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailAddress=user at example.com">subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailAddress=user at example.com</a><br>
>> <a class="moz-txt-link-abbreviated"
>>  href="mailto:issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAddress=admin at example.com/CN=radiusserv.esrf.fr">issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAddress=admin at example.com/CN=radiusserv.esrf.fr</a></small><br>
>> </tt></big><br>
>> So I have tested with:<br>
>> - Server or Certificate Name == <big><tt><small>swatzy01.esrf.fr<br>
>> </small></tt></big>- Server or Certificate Name ==
>> <big><tt><small>radiusserv.esrf.fr<br>
>> </small></tt></big><br>
>> But with the same result:<br>
>> <br>
>> <tt>Found Auth-Type = EAP<br>
>> +- entering group authenticate {...}<br>
>> [eap] Request found, released from the list<br>
>> [eap] EAP/ttls<br>
>> [eap] processing type ttls<br>
>> [ttls] Authenticate<br>
>> [ttls] processing EAP-TLS<br>
>> [ttls] eaptls_verify returned 7<br>
>> [ttls] Done initial handshake<br>
>> [ttls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca<br>
>> TLS Alert read:fatal:unknown CA<br>
>>     TLS_accept:failed in SSLv3 read client certificate
>> A<br>
>> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert unknown ca<br>
>> SSL: SSL_read failed inside of TLS (-1), TLS session fails.<br>
>> TLS receive handshake failed during operation<br>
>> [ttls] eaptls_process returned 4<br>
>> [eap] Handler failed in EAP/ttls<br>
>> [eap] Failed in EAP select<br>
>> ++[eap] returns invalid<br>
>> Failed to authenticate the user.</tt><br>
>> <br>
>> I have already done also what "Ivan Kalik" said (altering
>> certs/Makefile to sign client certificates with ca certificate instead
>> of server certificate.)<br>
>> Because of that, "Microsoft: Smart Card or other Certificate" works
>> fine right now (not before)<br>
>> But I'm still not able to perform "Intel: EAP-TTLS" with "PAP
>> user/password", "Server Certificate Validation" + "Specify Server or
>> Certificate Name"  (if I remove last part... also works fine!!)<br>
>> <br>
>> thanks in advance for all your kindly help.<br>
>> regards,<br>
>> <br>
>>    Fernando.<br>
>> <br>
>> Alan Buxey wrote:
>> <blockquote cite="mid:20091203135939.GA5878 at lboro.ac.uk" type="cite">
>>   <pre wrap="">Hi,
>>
>>   </pre>
>>   <blockquote type="cite">
>>     <pre wrap="">...and I guest it is not due to the "Client Certificate"
>> because it was succeed authenticated in the previous tests
>> Probably is due to I am not sure what I should write in the box reserved
>> for "Server or Certificate Name" (on the "Step 2 of 2" at the supplicant
>> windows software)
>> Anyone knows what I should write at this box? I could not find a "server
>> name" or "domain name" at the certificate (as it is explained on the
>> "windows in-line help")
>>     </pre>
>>   </blockquote>
>>   <pre wrap=""><!---->
>>
>> this will be the CN of your server certificate.
>>
>> so, if , when your RADIUS server got signed by the CA it became known
>> as eg radius.happyorg.org  then the name you put into the client is
>> radius.happyorg.org
>>
>> dotn forget, this is NOT a DNS name - it is purely a 'label' - just the CN
>> of the server.... and you must have the CA present to check that server
>> cert
>> has been signed by your trusted CA  (for otherwise anyone can make a
>> server
>> have a dumb cert with radius.happyorg.org as its CN
>>
>> alan
>>   </pre>
>> </blockquote>
>> <br>
>> </body>
>> </html>
>>     
>
> 1. Learn how to use e-mail.
>
> 2. That issuer looks like server certificate. You say you made client
> certificates signed by ca certificate. This doesn't seem to be one of
> them. If you can do EAP-TLS with the client certificate, you should be
> able to do EAP-TTLS with them too.
>
> Ivan Kalik
>
>

More information about the Freeradius-Users mailing list