802.1x auth EAP-TLS problem

[Phil Mayers]

On 06/28/2011 08:41 AM, Marco Londero wrote:
> Hi folks,
>
> I have a problem in my freeradius setup and I'm looking for some hints
> about that.
>
> Scenario:
>
> 1) GNU/Linux client w/ WPA supplicant configured to request access through
> EAP-TLS using a certificate (in order to achieve 802.1x ethernet
> authentication)
> 2) 802.1x enabled switch where client is connected
> 3) user/pass 802.1x authentication works fine (MSCHAPv2 based)
> 4) freeradius authenticates users on LDAP
>
> Freeradius debug log of the issue is here:

Debug logs should be a) not trimmed and b) gathered with "radiusd -X | 
tee log" for best effect. However:

>
> -------
> http://pastie.org/2132916
> -------
>
> All certificates should be ok (both on server and client):

Well, they're not. The debug says:

Mon Jun 27 15:42:13 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 
0566], Certificate
Mon Jun 27 15:42:13 2011 : Error: --> verify error:num=20:unable to get 
local issuer certificate
Mon Jun 27 15:42:13 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], 
fatal unknown_ca
Mon Jun 27 15:42:13 2011 : Error: TLS Alert write:fatal:unknown CA
Mon Jun 27 15:42:13 2011 : Error:     TLS_accept:error in SSLv3 read 
client certificate B
Mon Jun 27 15:42:13 2011 : Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Jun 27 15:42:13 2011 : Error: SSL: SSL_read failed in a system call 
(-1), TLS session fails.


Since you've trimmed the debug I can't see the config for your tls { } 
module, but you're missing a CA somewhere.