EAP-TLS with Client Cert, with Key Usage "EAP over Lan"

Dominik.A.Schorpp at ids.de Dominik.A.Schorpp at ids.de
Mon Dec 19 16:13:36 CET 2016


I have trouble to get 802.1x Authentication with EAP-TLS properly running.

My Setup is the following:
Server: FreeRADIUS Version 2.2.5, for host i586-pc-linux-gnu, built on Oct 24 2014 at 04:18:43
Switch: A NEXANS iSwitch G 1043E
Client/Device: Yocto based Linux with wpa_supplicant v2.4

My Problem is the usage of the "X509v3 Extendend Key Usage" in the Certificate of the Client.
If I use at the Client a Certificate with the "X509v3 Extendend Key Usage" : "TLS Web Server Authentication, TLS Web Client Authentication" the 802.1x Authentication with EAP-TLS is running Fine.

BUT I have the constrain that the Certificate on the Client is without "TLS Web Client Authentication" because there running absolute no Client Applications, the Device is running only some Server Applications.

So I tried to Use on the Client a Certificate with the "X509v3 Extendend Key Usage" : "TLS Web Server Authentication, EAP over Lan". But unfortunately the 802.1x Authentication with EAP-TLS did not work.

The relevant debug Output (freeradius -X) I think is the following
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 056b], Certificate
--> verify error:num=26:unsupported certificate purpose
[tls] >>> TLS 1.0 Alert [length 0002], fatal unsupported_certificate
TLS Alert write:fatal:unsupported certificate
    TLS_accept: error in error
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect (unsupported certificate purpose): [<----->] (from client port 3 cli 00-12-AD-00-0E-F5)
Using Post-Auth-Type REJECT

I also tried using Certificates with "X509v3 Extended Key Usage" : "TLS Web Server Authentication"  and "X509v3 Extended Key Usage" : " EAP over Lan" only, but the Result are the Same.

My Question is know which "X509v3 Extended Key Usage" are mandatory for the Certificate on the Device?

And why is it not enough that the "X509v3 Extended Key Usage" has "EAP over LAN" in it?

Thanks for Help


Dipl.-Ing. (FH) Dominik Andreas Schorpp
Hard und Softwareentwickler Embedded Geräte

E-FW - Entwicklung Ferwirktechnik
Nobelstr. 18
D-76275 Ettlingen
T +49 (0) 72 43/2 18-618
F +49 (0) 72 43/2 18-100
<mailto:dominik.a.schorpp at ids.de>

Geschäftsführer: Harald Herrmann, Jörn Fischer, Michael Schambach
Sitz der Gesellschaft: Ettlingen
Amtsgericht Mannheim HRB 362503

Ein Unternehmen der IDS-Gruppe


More information about the Freeradius-Users mailing list