More freeradius fun - some clients not connecting

Stefan Winter stefan.winter at restena.lu
Thu May 23 10:35:22 CEST 2019


Hello,

are you using server certificates from the InCommon certificate service?

Those have two different paths to two different roots. If you chose the
"AddTrust" root CA then there is a bug in Windows which fails the path
validation *iff* the AddTrust CA is also installed on the machine as an
intermediate CA (there's a history with this CA being re-purposed after
a merger - used to be an intermediate, same private key was then
re-issued as self-signed root; and if Windows sees *both* it will trust
neither).

Whether or not a given Windows machines "happens to have" the
intermediate version depends on many factory. Visiting a web site with
that intermediate may have been enough as Windows auto-loads missing
certs on the fly.

The solution is to use the *other* root CA, which doesn't exist as an
intermediate in another reality ("UserTrust Secure"). Yes, it does work
with the same server cert. Just change the root. It's the black magic in
PKI.

See https://spaces.at.internet2.edu/display/ICCS/InCommon+Cert+Types
section "SHA-2 Server Certificates".

Be sure to use the chain on that page, *not* the one behind the link
"Comodo's version of the chain".

Greetings,

Stefan Winter

Am 21.05.19 um 15:24 schrieb Chris Bradley:
> Hello everyone! Thanks for the help the other day.
> 
> I'm back to the original issue that I had that caused the servers to completely stop working the other day. All I did was stop the free radius service and tried running freeradius -X, honest. ;^)
> 
> So, here's the issue. I will explain the best I can.
> 
> We are K-12 educational and we're beginning to test re-imaging of our student computers. We have a wireless network for corporation owned staff devices to connect to and one for student devices to connect to. Each setup has two radius servers (for failover). Two for staff and two for students. We install the Security Certificates and the PIM/P12 files on the devices via our configuration management software. Then, a wireless network is setup via netsh to import a .xml wireless config. Haven't had any trouble with it until we started using our new image. 
> 
> Some (not all - some work and some don't) of our re-imaged computers won't connect to our certificate based 802.1x networks. On the server, I'm seeing this error as I'm tailing the freeradius log:
> 
> 
> Tue May 21 09:07:50 2019 : ERROR: (185581) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate
> Tue May 21 09:07:50 2019 : ERROR: (185581) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
> Tue May 21 09:07:50 2019 : Error: tls: TLS_accept: Error in SSLv3 read client certificate B
> Tue May 21 09:07:50 2019 : Auth: (185581) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer certificate): [host/computername] (from client northwifi port 1696 cli B4-6B-FC-EC-66-34)
> 
> When clients connect properly, I get a line like this in the logs:
> 
> 
> Tue May 21 09:18:27 2019 : Auth: (187309) Login OK: [host/bcscstucert-client] (from client northwifi port 737 cli AC-E0-10-BA-A0-B7)
> 
> The two clients are identical machines, the wireless networks and the certificates are installed the same exact way. So, why can some of them connect and some of them can't? Any ideas to check into?
> 
> Thanks! =)
> 
> Chris :o)
> Bradley
>  
> Network Administrator
> Bartholomew Consolidated School Corporation
> bradleyc at bcsc.k12.in.us
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190523/dc47372e/attachment.sig>


More information about the Freeradius-Users mailing list