EAP advanced auth. methods problem

Tomas Pelka tompelka at gmail.com
Sun Nov 22 00:14:19 CET 2009 

Tomas Pelka wrote:
> tnt at kalik.net wrote:
>>> Alan DeKok wrote:
>>>> Tomas Pelka wrote:
>>>>> have a problem with "advanced" EAP authentication methods including
>>>>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
>>>>   I wouldn't call them "advanced..."
>>>>
>>>>> Certs was created with the makefile included in freeradius sources.
>>>>>
>>>>> All my experiments ending with: decapsulated EAP packet (code=4 id=4
>>>>> len=4) from RADIUS server: EAP Failure
>> Authentication works fine - you are getting an initial Access-Accept. But
>> then:
>>
>> [ttls] Skipping Phase2 due to session resumption
>> [ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
>>
>> Read cache section of eap.conf.
>>
>> Ivan Kalik
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> So if am I get it right, the problem is reauthentication, right? But
> 
> #tls section
> cache {
>       enable = yes
>       lifetime = 24 # hours
>       max_entries = 255
>       }
> and even no cache (enable=no) do not work.
> 
> TTLS-md5/mschapv2 and PEAP, works with cache enabled (inside ttls section).
> 
> Thanks.
> 

So the problem is in certificate:

[tls] <<< TLS 1.0 Handshake [length 038d], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
    TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject

# openssl verify -CApath ca.pem client.pem
client.pem: /C=FR/ST=Radius/O=Example
Inc./CN=user at example.com/emailAddress=user at example.com
error 20 at 0 depth lookup:unable to get local issuer certificate


I'm little bit confused, I created the client certificate using make
client. Isn't possible that freeradius Makefile is buggy?

Cheers
-- 
Tom

More information about the Freeradius-Users mailing list