Server certificate confusion

Nick Howitt nick at howitts.co.uk
Tue Apr 17 11:24:58 CEST 2018 

Replying to my own post.

There was a permission problem which I've now fixed, but I still get 
failure:
eapol_test:

    EAPOL: SUPP_BE entering state RECEIVE
    Received 44 bytes from RADIUS server
    Received RADIUS message
    RADIUS message: code=3 (Access-Reject) identifier=6 length=44
        Attribute 79 (EAP-Message) length=6
           Value: 04060004
        Attribute 80 (Message-Authenticator) length=18
           Value: 09b3759d82eeeaaaf74cc3e25257cf11
    STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
    request, round trip time 1.00 sec

    RADIUS packet matching with station
    decapsulated EAP packet (code=4 id=6 len=4) from RADIUS server: EAP
    Failure
    EAPOL: Received EAP-Packet frame
    EAPOL: SUPP_BE entering state REQUEST
    EAPOL: getSuppRsp
    EAP: EAP entering state RECEIVED
    EAP: Received EAP-Failure
    EAP: Status notification: completion (param=failure)
    EAP: EAP entering state FAILURE
    CTRL-EVENT-EAP-FAILURE EAP authentication failed
    EAPOL: SUPP_PAE entering state HELD
    EAPOL: SUPP_BE entering state RECEIVE
    EAPOL: SUPP_BE entering state FAIL
    EAPOL: SUPP_BE entering state IDLE
    eapol_sm_cb: result=0
    EAPOL: EAP key not available
    EAPOL: EAP Session-Id not available
    WPA: Clear old PMK and PTK
    EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
    ENGINE: engine deinit
    MPPE keys OK: 0  mismatch: 1
    FAILURE

and in "radiusd -X":

    (6) eap_tls: Creating attributes from certificate OIDs
    (6) eap_tls:   TLS-Client-Cert-Serial := "01"
    (6) eap_tls:   TLS-Client-Cert-Expiration := "280414075944Z"
    (6) eap_tls:   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
    Inc./CN=Example Certificate Authority/emailAddress=admin at example.org"
    (6) eap_tls:   TLS-Client-Cert-Issuer :=
    "/C=FR/ST=Radius/L=Somewhere/O=Example
    Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"
    (6) eap_tls:   TLS-Client-Cert-Common-Name := "Example Certificate
    Authority"
    (6) eap_tls:   ERROR: SSL says error 26 : unsupported certificate
    purpose
    (6) eap_tls: >>> send TLS 1.2  [length 0002]
    (6) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate
    tls: TLS_accept: Error in error
    (6) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
    error:14089086:SSL routines:ssl3_get_client_certificate:certificate
    verify failed
    (6) eap_tls: ERROR: System call (I/O) error (-1)
    (6) eap_tls: ERROR: TLS receive handshake failed during operation
    (6) eap_tls: ERROR: [eaptls process] = fail
    (6) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP
    sub-module failed
    (6) eap: Sending EAP Failure (code 4) ID 6 length 4
    (6) eap: Failed in EAP select
    (6)     [eap] = invalid
    (6)   } # authenticate = invalid

Regards,
Nick


On 17/04/2018 09:46, Nick Howitt wrote:
> I am having problems with the server certificate. If I create a server 
> certificate without the XP Extensions, using eapol_test I can get a 
> validation success, but Windows clients give an 0x80420101 error. If I 
> redo the certificates with the XP Extensions I see the following in 
> the certificate:
>         X509v3 extensions:
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication
>             X509v3 CRL Distribution Points:
>
>                 Full Name:
>                   URI:http://www.example.com/example_ca.crl
>
> But eapol_test ends in failure with the following part way through:
>
>    TLS: Certificate verification failed, error 7 (certificate signature
>    failure) depth 0 for '/C=FR/ST=Radius/O=Example Inc./CN=Example
>    Certificate Authority/emailAddress=admin at example.org'
>    CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0
>    subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate
>    Authority/emailAddress=admin at example.org' err='certificate signature
>    failure'
>    EAP: Status notification: remote certificate verification
>    (param=certificate signature failure)
>
> and "radiusd -X gives:
>
>    (29) eap_tls: Done initial handshake
>    (29) eap_tls: <<< recv TLS 1.2  [length 0002]
>    (29) eap_tls: ERROR: TLS Alert read:fatal:decrypt error
>    (29) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client
>    certificate A
>    (29) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
>    (29) eap_tls: ERROR: error:1409441B:SSL
>    routines:ssl3_read_bytes:tlsv1 alert decrypt error
>    (29) eap_tls: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
>    handshake failure
>    (29) eap_tls: ERROR: System call (I/O) error (-1)
>    (29) eap_tls: ERROR: TLS receive handshake failed during operation
>    (29) eap_tls: ERROR: [eaptls process] = fail
>    (29) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP
>    sub-module failed
>    (29) eap: Sending EAP Failure (code 4) ID 5 length 4
>
> Do you know what I'm doing wrong?
>
> TIA, Nick
>
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list