EAP-TLS and client certs issued with different CA's
Bruncko Michal
Michal.Bruncko at zssos.sk
Sat Sep 13 16:17:31 CEST 2014
Hello list,
I am successfully using Freeradius in our Wifi environment using EAP-TLS
in single-CA environment - i.e same CA was used to sign both server and
clients SSL certificates. Now I have started to use new certificate PKI
with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I
wanted to keep existing legacy CA in place. This means:
- that I wanted to use client certificates issued by two different CA's
for EAP-TLS authentication
- and as I mentioned before, the new CA is a subCA of new rootCA.
- and server certificate is signed still using legacy CA
I looked over older posts and it looks that this scenario is supported
by freeradius and can be achieved in two ways:
- using CA_file (within tls section in eap.conf) pointing to file
bundling all CA related certificates (i.e. legacy CA, new SubCA and
RootCA), or
- using CA_path pointing to directory with separate CA *.pem files (and
running "c_rehash" over that directory). both subCA and rootCA in single
pem file (but I tried to separate it as well)
The problem is, that everytime I wanted to authenticate with client
using certificate signed by subCA, I always get:
[campuswifi] Request found, released from the list
[campuswifi] EAP/tls
[campuswifi] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 03d6], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[campuswifi] Handler failed in EAP/tls
[campuswifi] Failed in EAP select
Questions:
- what I am doing wrong? Miss I anything in order to get working EAP-TLS
authentication over both legacy CA and new CA?
recall: please note that new CA is not self signed, but signed by
another rootCA authority (created also by me).
thanks for any help
--
Ing. Michal Bruncko, PhD., CCNP, RHCSA
More information about the Freeradius-Users
mailing list