need help - force EAP-TTLS to validate the server certificate
John Dennis
jdennis at redhat.com
Fri Sep 17 17:26:56 CEST 2010
On 09/17/2010 11:00 AM, Klaus Laus wrote:
>
> thanks a lot for your answer.
>> Either move the "files" module before "eap", or use unlang to set it:
>>
>> authorize {
>> ...
>> update control {
>> EAP-TLS-Require-Client-Cert = yes
>> }
>> eap
>> ...
>> }
> I did the changes in the authorize section, and freeradius seems to require the client certificate. But the server is not accept my certificate. I don't think that the certificate is bad because I can login any client with the same certificate when I use TLS instead of PEAP.
> This is my way to login with PEAP on a windows xp client maybe I do anything wrong? :
> I import the pksc12 certificate from the freeradius server in the windows xp certificate management. When I type certmgr.msc under "run" I can see that the certificate is successfully imported. Then I scan for the wireless networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in testuser as user with the correct password.
> Here you can see the debug output (freeradius did not find my certificate):
That's right, the server didn't get your cert, it's right in the debug.
As Alan said this isn't a server issue, it's a client issue, figure out
why your client is not returning a cert.
> TLS Alert write:fatal:handshake failure
> TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> SSL: SSL_read failed in a system call (-1), TLS session fails.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list