Machine auth fails but user auth works

Fri Dec 4 16:01:50 CET 2015

I have configured the client to trust server certificate and installed the server certificate on client "Trusted Root CA certificate store" and still the same thing.

Then I also unchecked the "validate server certificate" at the client, still cannot connect but see a different message at FreeRadius debug:

(75)  eap_peap : processing EAP-TLS
(75)  eap_peap : eaptls_verify returned 7
(75)  eap_peap : Done initial handshake
(75)  eap_peap : eaptls_process returned 7
(75)  eap_peap : FR_TLS_OK
(75)  eap_peap : Session established.  Decoding tunneled attributes
(75)  eap_peap : Peap state send tlv failure
(75)  eap_peap : Received EAP-TLV response
(75)   eap_peap : The users session was previously rejected: returning reject (again.)
(75)   eap_peap : *** This means you need to read the PREVIOUS messages in the debug output
(75)   eap_peap : *** to find out the reason why the user was rejected
(75)   eap_peap : *** Look for "reject" or "fail".  Those earlier messages will tell you
(75)   eap_peap : *** what went wrong, and how to fix the problem
  SSL: Removing session a38778fb8d95f898711428a550cca28f33c0704bedf61bf9cd5fb56bb744a8d8 from the cache
(75)  ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
(75)  eap : Failed in EAP select
(75)   [eap] = invalid
(75)  } #  authenticate = invalid
(75) Failed to authenticate the user
(75) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [host/CCS-252.cfs.uoguelph.ca] (from client WLC2504 port 1 cli c4-8e-8f-f8-96-33)
(75) Using Post-Auth-Type Reject
(75) # Executing group from file /etc/raddb/sites-enabled/default
(75)  Post-Auth-Type REJECT {
(75)  attr_filter.access_reject : EXPAND %{User-Name}
(75)  attr_filter.access_reject :    --> host/CCS-252.cfs.uoguelph.ca
(75)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(75)   [attr_filter.access_reject] = updated
(75)  eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(75)   [eap] = noop
(75)   remove_reply_message_if_eap remove_reply_message_if_eap {
(75)     if (&reply:EAP-Message && &reply:Reply-Message)
(75)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(75)    else else {
(75)     [noop] = noop
(75)    } # else else = noop
(75)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(75)  } # Post-Auth-Type REJECT = updated

Now client does not validate server certificate now, does FR server need to validate client certificate?

Thanks. 

Dennis

----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: dxu at uoguelph.ca, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Thursday, December 3, 2015 4:33:14 PM
Subject: Re: Machine auth fails but user auth works

On Dec 3, 2015, at 4:24 PM, Dennis Xu <dxu at uoguelph.ca> wrote:
> 
> In both user and machine auth cases, I use the same certificate installed on FreeRadius. I don't understand why machine auth complains the CA error, but no issues for user auth?

  You have to enable the CA for each user / machine identity.

> I don't use certificates on client machines and there is no special configuration about certificates in the machine auth case. 

  The client system still has to trust the RADIUS server.  The *only* way to do this is to install the CA certificate on the client.

  Alan DeKok.