Freeradius and EAP_TLS Problem:

Armin Maier ma2412 at gmx.de
Wed Jan 23 10:32:46 CET 2013 

Hello!
I have been using Windows 7, Freeradius 2.1.10 from Debian Squeeze, HP 
MSM710 WLAN controller and EAP_TLS Computer Certificate Authentication 
for a log time and worked perfect. I used Certificates created on the 
Debian server by openssl including the extensions for Client 
Authentication and Server Authentication.
Now we want to activate port security on our physical switches and use 
the same radius server, so we installed a Windows Enterprise Root CA for 
autoenrollment of the Client and server certificates. I also created an 
RAS IAS Certificate for the Radius Server and installed them, they are 
loaded without any problems, but authentication of the Windows 7 client 
do not work anymore.

I searched the internet for a compareable setup but i cannot find any 
hints for using Microsoft Enterprise CA with freeradius server, may 
everywhere else it works like a charm :) , but cannot believe it!

So my first question, does someone use Microsoft Enterprise CA 
Certificates with freeradius in a working environment, and o i have to 
regard something special?

Running "freeradius -X" gives me the following errors:

...
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
   TLS Length 95
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005a], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08d7], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 0062], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
...


I updated to Debian wheezy to get a newer freeradius version, but 
nothing changed.

The Radius Server Certificate include the following Attribute (output of 
"openssl x509 -text -in <cert> -noout"):

         X509v3 extensions:
             X509v3 Key Usage:
                 Digital Signature, Key Encipherment
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication, TLS Web Client 
Authentication
             X509v3 Subject Key Identifier:
                 1D:22:6F:1B:8B:F9:DE:C7:D2:FC:8A:17:97:87:EA:8B:D0:0D:27:31
             X509v3 Authority Key Identifier:
                 
keyid:0F:BB:BB:14:63:C3:07:52:CE:D9:74:94:6A:83:83:45:A4:94:2A:5B

             Authority Information Access:
                 CA Issuers - 
URI:ldap:///CN=xxx%20Certificate%20Services%20A,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=xx?cACertificate?base?objectClass=certificationAuthority

             1.3.6.1.4.1.311.21.7:
                 0..&+.....7.....c..;.......^...S.*..........d...
             1.3.6.1.4.1.311.21.10:
                 0.0
..+.......0
..+.......


The Client Certificates include the following Attributes:

Key usage:    Digital Signature, Key Encipherment (a0)
Enhanded Key Usage:    Client Authentication (1.3.6.1.5.5.7.3.2)

The client attributes also include
- Authority Information Access
- CRL Distribution Points
- Certificate Template Information
which have very long values with special caracters like _%/=:?, may this 
be a problem?

More information about the Freeradius-Users mailing list