EAP-TLS failing after enabling crl_check

Kyle O'Malley kyleomalleyx at gmail.com
Thu Oct 15 01:54:59 CEST 2009


Hi All,

I've been very successful at getting EAP-TLS functional, up to the point of
actually getting the CRL check to work. A little background on my setup:

EAP-TLS Functional WITHOUT check_crl
CRL downloaded via http interface (windows2k) which is by default DER
format. This is converted to PEM.
CRL can be verified with" openssl crl -in crlfile.pem -text" -- This shows
up perfectly, as expected, including the serial#s of certs that are revoked.

I can verify every cert, view with openssl -text etc. All of the certs are
legit and work fine for non-crl auth so I don't think there is anything
wrong with my certs. I've converted the private/public/cacerts into .pfx and
extracted individual certs, just the cacerts, tried various bundles,
everything is smooth, but makes no difference.
The CA is running on win2k3, openssl isn't used on the freeradius box as a
CA.
I run a perl script c_rehash to create the symbolic links as hashed names to
the PEM certs (c_rehash even seems to 'know' the CRL file is a crl by making
it whatever.r0)
Also verified permissions (freeradius will fail anyways if permissions to
the certs don't work).
In short, I've tried everything I can think of and no matter what, once I
enable crl_check, clients are rejected.

Full error msg below, however, this is the initial error:

[tls] <<< TLS 1.0 Handshake [length 1076], Certificate
--> verify error:num=3:unable to get certificate CRL


See my config below; Running radiusd -X -f



Here is my config:

certdir = ${confdir}/certs
                        cadir = ${confdir}/certs

                        private_key_password = "blah"
                        private_key_file = ${certdir}/ca/freeradius-priv.pem

                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
                        #
                        #  If CA_file (below) is not used, then the
                        #  certificate_file below MUST include not
                        #  only the server certificate, but ALSO all
                        #  of the CA certificates used to sign the
                        #  server certificate.
                        certificate_file = ${certdir}/ca/freeradius-pub.pem

                        #  Trusted Root CA list
                        #
                        #  ALL of the CA's in this list will be trusted
                        #  to issue client certificates for authentication.
                        #
                        #  In general, you should use self-signed
                        #  certificates for 802.1x (EAP) authentication.
                        #  In that case, this CA file should contain
                        #  *one* CA certificate.
                        #
                        #  This parameter is used only for EAP-TLS,
                        #  when you issue client certificates.  If you do
                        #  not use client certificates, and you do not want
                        #  to permit EAP-TLS authentication, then delete
                        #  this configuration item.
                        CA_file = ${cadir}/ca/ca.pem

                        #
                        #  For DH cipher suites to work, you have to
                        #  run OpenSSL to create the DH file first:
                        #
                        #       openssl dhparam -out certs/dh 1024
                        #
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random

                        #
                        #  This can never exceed the size of a RADIUS
                        #  packet (4096 bytes), and is preferably half
                        #  that, to accomodate other attributes in
                        #  RADIUS packet.  On most APs the MAX packet
                        #  length is configured between 1500 - 1600
                        #  In these cases, fragment size should be
                        #  1024 or less.
                        #
                #       fragment_size = 1024

                        #  include_length is a flag which is
                        #  by default set to yes If set to
                        #  yes, Total Length of the message is
                        #  included in EVERY packet we send.
                        #  If set to no, Total Length of the
                        #  message is included ONLY in the
                        #  First packet of a fragment series.
                        #
                #       include_length = yes

                        #  Check the Certificate Revocation List
                        #
                        #  1) Copy CA certificates and CRLs to same
directory.
                        #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
                        #    'c_rehash' is OpenSSL's command.
                        #  3) uncomment the line below.
                        #  5) Restart radiusd
                        check_crl = yes
                        crl_path = "/etc/raddb/certs/ca/crl.pem"
                        CA_path = "/etc/raddb/certs/ca/"
                        #pem_file_type = yes



Here is the error:


[tls] <<< TLS 1.0 Handshake [length 1076], Certificate
--> verify error:num=3:unable to get certificate CRL
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
    TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [apophxw88397hpyjx.apollogrp.edu] (from client
wireless_access_point1 port 12289 cli 00-26-B0-61-FD-32)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} ->


Here is the CApath directory:

lrwxrwxrwx 1 root root      18 Oct 14 16:40 7a1f8db1.0 -> freeradius-pub.pem
lrwxrwxrwx 1 root root       6 Oct 14 16:40 a7454e50.0 -> ca.pem
lrwxrwxrwx 1 root root       7 Oct 14 16:40 a7454e50.r0 -> crl.pem
-r--r----- 1 root radiusd 1760 Oct 14 16:18 ca.pem
-rw-rw-r-- 1 root radiusd 1877 Oct 14 16:40 crl.pem
-r--r----- 1 root radiusd 1751 Oct 14 16:40 freeradius-priv.pem
-r--r----- 1 root radiusd 2268 Oct 14 16:40 freeradius-pub.pem


I can post a more lengthy failure log if someone wants it - my question is,
has anyone got this working without running the openssl CA right on the same
box as freeradius? What am I missing? Thank you for any assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091014/bb0c7b07/attachment.html>


More information about the Freeradius-Users mailing list