AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Boris Lytochkin lytboris at yandex-team.ru
Sun Dec 17 16:43:31 CET 2017


Hi.

Can you take a SPAN capture on phone port and attach it into this thread 
so whole EAP-TLS session can be read (ether-type 0x888e for tcpdump 
filter will do)? This capture will help a lot to give you a hint how to 
proceed with this issue.

On 17.12.2017 12:44, Gladewitz, Robert via Freeradius-Users wrote:
> Hallo Alan,
>
> thank you for your answere. The problem only happening on Cisco CAPF Certificates, which will be created by cisco callmanager self for all ip phones. All other authentification (Windows client, WPA etc.) in our enviroment working fine.
>
> But on cisco call manager/CUCM, there is no option that can change the certificate attributes.
>
> Also interess is, that the openssl verify is working fine!
>
> Ist there may a possebility to skip the internal certificate check and use only an external cammand (like verify -> client)?  For me it will be ok without any certificate check also. But i need eap-tls for set the voice vlan.
>
> Regards
>
> Robert
>   
>
>
> -----Urspr√ľngliche Nachricht-----
> Von: Alan DeKok [mailto:aland at deployingradius.com]
> Gesendet: Samstag, 16. Dezember 2017 20:37
> An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
>
> On Dec 15, 2017, at 1:28 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> after update to version 3 we get the followong error on module eap-tls:
>    It's not just FreeRADIUS that's been updated.  But also OpenSSL.  Which implements the TLS portion of EAP-TLS.
>
>> (59) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose
>    The certificates don't have the extended key usage OIDs.  Windows needs them.
>
>    The certs created by the scripts included with FreeRADIUS work.
>
>> In do not understand, why i get this error. If i use manually openssl
>> verify all seems ok.
>    OpenSSL doesn't verify the extended key usage fields.
>
>> In some discusion i find out, that some think is wron with the
>> extendet attributes. But in this case, why it is working fine in
>> freeradius 2 and 1 implemtations.
>    No idea.
>
>    But you didn't create the certificates correctly.
>
>    You'll need to regenerate the certs with the correct information.  Use the scripts in the raddb/certs/ directory.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671



More information about the Freeradius-Users mailing list