Cisco IP Phone 802.1x EAP-TLS troubles
8zero2ops at gmail.com
Tue Oct 11 09:24:58 CEST 2016
On Monday 10 October 2016, Ryan <directionless at gmail.com> wrote:
> I'm running freeRADIUS v3.0.8. My first goal is just to get all our
> Cisco phones authorized. I want freeRADIUS to accept all phones based
> on the certificate presented by the supplicant. The phones should
> present Cisco's manufacturer-installed-certificate, and Cisco provides
> the CA certs for download, which I have done. I put the Cisco CA
> certs into /etc/freeradius/certs, changed eap config to use ca_path
> instead of ca_file, but I still get this:
> (4) eap: Peer s0ent method TLS (13)
> (4) eap: EAP TLS (13)
> (4) eap: Calling eap_tls to process EAP data
> (4) eap_tls: Authenticate
> (4) eap_tls: processing EAP-TLS
> (4) eap_tls: TLS Length 1235
> (4) eap_tls: Length Included
> (4) eap_tls: eaptls_verify returned 11
> (4) eap_tls: <<< Unknown TLS version [length 0005]
> (4) eap_tls: <<< TLS 1.2 [length 0343]
> (4) eap_tls: TLS Verify creating certificate attributes
> (4) eap_tls: TLS-Client-Cert-Serial := '06'
> (4) eap_tls: TLS-Client-Cert-Expiration := '211008171647Z'
> (4) eap_tls: TLS-Client-Cert-Subject := '/serialNumber=PID:CP-8841
> SN:FCH20098MSK/C=US/O=Texana Center/OU=Building
> (4) eap_tls: TLS-Client-Cert-Issuer := '/C=US/O=Texana
> Center/OU=Building E/CN=CAPF-38b5f828/ST=Texas/L=4910 Airport Ave.'
> (4) eap_tls: TLS-Client-Cert-Common-Name := 'CP-8841-SEP00CCFC4A9AD3'
> (4) eap_tls: ERROR: SSL says error 20 : unable to get local issuer
Have you given root certificate of the client certificate issuer in
Also check if there are any intermeddiate ca who signs client certificates
> (4) eap_tls: >>> Unknown TLS version [length 0005]
> (4) eap_tls: >>> TLS 1.2 [length 0002]
> (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
> tls: TLS_accept: Error in error
> (4) eap_tls: ERROR: SSL says: error:14089086:SSL
> routines:ssl3_get_client_certificate:certificate verify failed
> SSL: SSL_read failed in a system call (-1), TLS session fails.
> TLS receive handshake failed during operation
> (4) eap_tls: eaptls_process returned 4
> (4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
> (4) eap: Failed in EAP select
> (4) [eap] = invalid
> (4) } # authenticate = invalid
> (4) Failed to authenticate the user
> (4) Using Post-Auth-Type Reject
> I'm a total noob at PKI and I can't figure out what I'm doing wrong.
> Is this even possible to do?
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
Mail: 8zero2.in at gmail.com
More information about the Freeradius-Users