EAP-TLS with server and client certificates by different CA

Mikhail Gaidamaka "mikhail.gaydamaka" at eltex.nsk.ru
Wed Aug 5 05:11:32 CEST 2015 

Good day
We use FreeRADIUS 2.1.10 to authorize wi-fi clients.

Step 1: many client's devices check server certificate, than we have 
Comodo EssentialSSL certificate for server.
Its certificate chain:
- radius_eltex_nsk_ru.crt
- http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
- http://crt.comodoca.com/COMODORSAAddTrustCA.crt
- AddTrust External CA Root
EAP-PEAP-mschapv2 works good with this certificate.

Step 2: we want to authorize clients with EAP-TLS
We create self-signed CA (/etc/ssl/eltex/eltex-ca.crt) and any clients 
certs (maria.crt, for example).
eap.conf has this parameters

     eap {
         default_eap_type = peap

         timer_expire     = 60

         ignore_unknown_eap_types = no

         cisco_accounting_username_bug = no

         max_sessions = 4096

         md5 {
         }

         leap {
         }

         gtc {
             #challenge = "Password: "
             auth_type = PAP
         }

         tls {
             certdir = ${confdir}/certs
             cadir = /etc/ssl/eltex

             private_key_password = 123456
             private_key_file = ${certdir}/radius.eltex.nsk.ru.key

             certificate_file = ${certdir}/radius_eltex_nsk_ru.crt

             CA_file = ${cadir}/eltex-ca.crt \
${certdir}/COMODORSADomainValidationSecureServerCA.crt \
                 ${certdir}/COMODORSAAddTrustCA.crt \
                 ${certdir}/AddTrustExternalCARoot.crt

             dh_file = ${certdir}/dh
             random_file = /dev/urandom
         #    fragment_size = 1024
         #    include_length = yes
         #    check_crl = yes
             CA_path = ${certdir}
         #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My 
Company Ltd"
         #    check_cert_cn = %{User-Name}
             cipher_list = "DEFAULT"
             make_cert_command = "${certdir}/bootstrap"
             cache {
                   enable = no
                   lifetime = 24 # hours
                   max_entries = 255
             }
             verify {
                      tmpdir = /tmp/radiusd
                     client = "/usr/bin/openssl verify -CApath 
${..cadir} %{TLS-Client-Cert-Filename}"
             }
         }

'cadir' contains eltex-ca.crt, eltex-ca.key only

And now we can't authorize with EAP-TLS
Client's device sends 'alert unknown ca' (what CA - server or client I 
can't understand)

It was OK, when server ant client certificate were both signed by eltex-ca.

I get this error at /var/log/syslog

wpa_supplicant[926]: TLS: Certificate verification failed, error 20 
(unable to get local issuer certificate) depth 0 for '/OU=Domain Control 
Validated/OU=EssentialSSL/CN=radius.eltex.nsk.ru'
wpa_supplicant[926]: OpenSSL: tls_connection_handshake - SSL_connect 
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed

I try to install all my server certs to system

# sudo update-ca-certificates
4 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updating keystore /etc/ssl/certs/java/cacerts...
   added: /etc/ssl/certs/AddTrustExternalCARoot.pem
   added: /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.pem
   added: /etc/ssl/certs/radius_eltex_nsk_ru.pem
   added: /etc/ssl/certs/COMODORSAAddTrustCA.pem
done.
done.

But it still not authorized with the same error

Can we use server and client certificates signed by different CA at one 
server?

More information about the Freeradius-Users mailing list