Server certificate confusion
Alan Buxey
alan.buxey at gmail.com
Thu Apr 19 20:28:32 CEST 2018
eapol_test never used to be part of the installed wpa_supplicant package
but various distros have changed their policy and now provide it (after
tickets being submitted from people like myself).
Freeradius comes with several config scripts that can be used with
eapol_test (in src/test)
alan
On Thu, 19 Apr 2018, 18:12 Stefan Winter, <stefan.winter at restena.lu> wrote:
> Hello,
>
> On 18.04.18 17:03, Nick Howitt wrote:
> >> [root at 7 certs]# rpm -q openssl
> >> openssl-1.0.2k-8.el7.x86_64
> >>
> >> I don't have wpa_supplicant installed on the system so no
> >> wpa_supplicant.conf. In order to get eapol_test I pulled down the
> >> latest 2.6 sources and ran make following the instructions at
> >> http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/
> .
> >> I was under the impression that eapol_test was not compiled in the
> >> distro, but I've just been checking and I think I have been
> >> incorrectly informed. I'll install wpa_supplicant and test again.
> >>
> >> FWIW it is not eapol_test which is giving the certificate error but
> >> "radiusd -X".
> >>
> >> BTW you only got the key because it is in the pem file so I was not
> >> sure if you wanted the whole file or just the certificate part
> >>
> >> Nick
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> > "radiusd -X" still errors with the Centos
> > wpa_supplicant-2.6-5.el7_4.1.x86_64 installed with a default
> > wpa_supplicant.conf:
> > ctrl_interface=/var/run/wpa_supplicant
> > ctrl_interface_group=wheel
>
> Now that's something to investigate.
>
> AFAIK, FreeRADIUS sends the certificate it has in config to the client.
> It doesn't check anything special (beyond well-formedness of the PEM file).
>
> The error you are seeing in freeradius -X is most likely because
> FreeRADIUS /receives/ this error message from the /client/.
>
> If it were a genuine error inside FreeRADIUS, things wouldn't work for
> Windows clients.
>
> So you should probably take a very close look at eapol_test's debug
> output. If it is the one rejecting the incoming TLS server cert, then it
> will print out something. If you're unlucky, it will just print the same
> error message it is afterwards also sending to the server, but with a
> bit of luck there is a bit more detail on its side.
>
> You aren't by any chance doing this work for an eduroam participant? If
> so, our compliance check tools could be unleashed on the IdP FreeRADIUS;
> I'd only need to know the realm then.
>
> Also, eapol_test is part of the wpa_supplicant suite (but indeed not
> compiled by all distros). So your self-compiled version was just as good
> as the distro-supplied you now have.
>
> And the wpa_supplicant.conf is also being considered when using
> eapol_test. I'm surprised you get an EAP conversation going with a
> config file that has only two lines? You are relying on plentiful of
> defaults there. You would usually need to configure at least a username
> to use for the login attempt? Where do you supply that?
>
> Greetings,
>
> Stefan Winter
>
> Greetings,
>
> Stefan Winter
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list