Server certificate confusion

Stefan Winter stefan.winter at restena.lu
Thu Apr 19 19:11:11 CEST 2018


Hello,

On 18.04.18 17:03, Nick Howitt wrote:
>> [root at 7 certs]# rpm -q openssl
>> openssl-1.0.2k-8.el7.x86_64
>>
>> I don't have wpa_supplicant installed on the system so no
>> wpa_supplicant.conf. In order to get eapol_test I pulled down the
>> latest 2.6 sources and ran make following the instructions at
>> http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/.
>> I was under the impression that eapol_test was not compiled in the
>> distro, but I've just been checking and I think I have been
>> incorrectly informed. I'll install wpa_supplicant and test again.
>>
>> FWIW it is not eapol_test which is giving the certificate error but
>> "radiusd -X".
>>
>> BTW you only got the key because it is in the pem file so I was not
>> sure if you wanted the whole file or just the certificate part
>>
>> Nick
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> "radiusd -X" still errors with the Centos
> wpa_supplicant-2.6-5.el7_4.1.x86_64 installed with a default
> wpa_supplicant.conf:
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel 

Now that's something to investigate.

AFAIK, FreeRADIUS sends the certificate it has in config to the client.
It doesn't check anything special (beyond well-formedness of the PEM file).

The error you are seeing in freeradius -X is most likely because
FreeRADIUS /receives/ this error message from the /client/.

If it were a genuine error inside FreeRADIUS, things wouldn't work for
Windows clients.

So you should probably take a very close look at eapol_test's debug
output. If it is the one rejecting the incoming TLS server cert, then it
will print out something. If you're unlucky, it will just print the same
error message it is afterwards also sending to the server, but with a
bit of luck there is a bit more detail on its side.

You aren't by any chance doing this work for an eduroam participant? If
so, our compliance check tools could be unleashed on the IdP FreeRADIUS;
I'd only need to know the realm then.

Also, eapol_test is part of the wpa_supplicant suite (but indeed not
compiled by all distros). So your self-compiled version was just as good
as the distro-supplied you now have.

And the wpa_supplicant.conf is also being considered when using
eapol_test. I'm surprised you get an EAP conversation going with a
config file that has only two lines? You are relying on plentiful of
defaults there. You would usually need to configure at least a username
to use for the login attempt? Where do you supply that?

Greetings,

Stefan Winter

Greetings,

Stefan Winter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180419/39e79837/attachment.sig>


More information about the Freeradius-Users mailing list