blockage in my Freeradius configuration [First SOLVED]self signed certificate in certificate chain [NOK]

Yves Deuscher deusyv at gmail.com
Sun Feb 2 22:41:55 CET 2014 

I change rule and this is solved

My file users
_______________________________________

DEFAULT         Huntgroup-Name == "cisco"
                Service-Type = NAS-Prompt-User,
                Cisco-AVPair = "shell:priv-lvl=15",
                Fall-Through = Yes



DEFAULT         Group == "Central"
DEFAULT         Group == "DEP25", Client-Shortname == "25"
DEFAULT         Group == "DEP29", Client-Shortname == "29"
DEFAULT         Group == "DEP57", Client-Shortname == "57"
DEFAULT         Auth-Type := Reject
______________________________________


For my second problem ,It isn't resolve.
debug :
Error: TLS Alert read:fatal:unknown CA
Sun Feb  2 22:03:14 2014 : Error:     TLS_accept: failed in SSLv3 read
client certificate A
Sun Feb  2 22:03:14 2014 : Error: rlm_eap: SSL error error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Sun Feb  2 22:03:14 2014 : Error: SSL: SSL_read failed inside of TLS (-1),
TLS session fails.

and trace user:
 ./eapol_test -c eapol-config -a xen-squeeze-freeradius -p 1812 -s
testing123 -r1

EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=4 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=509) - Flags 0x80
SSL: TLS Message Length: 2527
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 19 (self signed certificate in
certificate chain) depth 1 for '/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.com/CN=xen-squeeze-freeradius'
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1
subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin at example.com/CN=xen-squeeze-freeradius' err='self signed certificate
in certificate chain'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
SSL: 7 bytes left to be sent out (of total 7 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE

My ca.cnf
...
[ req ]
prompt            = no
distinguished_name    = certificate_authority
default_bits        = 2048
input_password        = whatever
output_password        = whatever
x509_extensions        = v3_ca

[certificate_authority]
countryName        = FR
stateOrProvinceName    = Radius
localityName        = Somewhere
organizationName    = Example Inc.
emailAddress        = admin at example.com
commonName        = "xen-squeeze-freeradius"

[v3_ca]
subjectKeyIdentifier    = hash
authorityKeyIdentifier    = keyid:always,issuer:always
basicConstraints    = CA:true
...

My server.cnf
...
[ req ]
prompt            = no
distinguished_name    = server
default_bits        = 2048
input_password        = whatever
output_password        = whatever

[server]
countryName        = FR
stateOrProvinceName    = Radius
localityName        = Somewhere
organizationName    = Example Inc.
emailAddress        = admin at example.com
commonName        = "xen-squeeze-freeradius"


err='self signed certificate in certificate chain'
I followed the guide
http://deployingradius.com/documents/configuration/certificates.html
but Freeradius error is "self-signed certificate." How to remove this error?
 thank you!!!!



2014-01-31 Alan DeKok <aland at deployingradius.com>:

> Yves Deuscher wrote:
> > For DEP commissioned the first connection goes well
> >
> >
> > Thu Jan 30 23:48:28 2014 : Info: ++[eap] returns noop
> > Thu Jan 30 23:48:28 2014 : Info: ++[unix] returns updated
> > Thu Jan 30 23:48:28 2014 : Info: [files]        expand:
> > %{Client-Shortname} -> DEP25
> > Thu Jan 30 23:48:28 2014 : Info: [files] users: Matched entry DEFAULT at
> > line 208
> > Thu Jan 30 23:48:28 2014 : Info: ++[files] returns ok
>
>   You'll have to look at the rest of the debug log to see what's going on.
>
>   If the packets are being processed differently, it's because the
> packets are different.  You'll have to look at the packets to see what's
> different.  Then, re-write the rules to match both packets.
>
> > I miss something for the dynamic substitution takes place at each
> > connection or I can not be the problem taken in the right direction have?
>
>   Each packet is completely independent.  FreeRADIUS doesn't change it's
> behavior from one packet to the next.
>
> > More I try to configure a secure WPA / TTLS working with all key
> > calculated installing Freeradius. by cons with mine I have a CA_unknown
> > error do you have a clue?
>
>   Follow the EAP guide on http://deployingradius.com/ .   It *will* work.
>
>   If you have unknown CA errors, it's because the certificate
> configuration is wrong.  Follow the guide.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140202/6a1ff880/attachment.html>

More information about the Freeradius-Users mailing list