EAP TLS Server certificate error

Thomas Manninger DBGTMaster at gmx.at
Mon Mar 23 16:45:16 CET 2020 

   Hi Mailing list,

   i installed freeradius on debian 9 for X802.1 authentication, which
   should replace an old freeradius server.

   For the new radius server, i generated a new CA for the client
   certificates and deployed the certificate on some clients.
   I also generated a certificate for the freeradius server (with the same
   CA):
   mods-enabled/eap:

   tls-config tls-common {
       certdir = ${confdir}/certs
       cadir = ${confdir}/certs
       private_key_file = ${certdir}/server.key
       certificate_file = ${certdir}/server.crt
       dh_file = ${certdir}/dh
       ca_path = ${cadir}
       check_cert_cn = %{User-Name}
       cipher_list = "DEFAULT"
   ..
   }

   When a client tries to authenticate, i get the following radius output:
   (7) auth_log:    --> Mon Mar 23 15:42:14 2020
   (7)     [auth_log] = ok
   (7)     if (!EAP-Message) {
   (7)     if (!EAP-Message)  -> FALSE
   (7)     else {
   (7) eap: Peer sent EAP Response (code 2) ID 15 length 17
   (7) eap: No EAP Start, assuming it's an on-going EAP conversation
   (7)       [eap] = updated
   (7) files_x802_1_cert_auth: users: Matched entry XXXXXX at line 163
   (7)       [files_x802_1_cert_auth] = ok
   (7)     } # else = updated
   (7)   } # authorize = updated
   (7) Found Auth-Type = eap
   (7) # Executing group from file
   /etc/freeradius/3.0/sites-enabled/outer-tunnel
   (7)   authenticate {
   (7) eap: Expiring EAP session with state 0x5b409518594a9812
   (7) eap: Finished EAP session with state 0xfcae8891ffa18542
   (7) eap: Previous EAP request found for state 0xfcae8891ffa18542,
   released from the list
   (7) eap: Peer sent packet with method EAP TLS (13)
   (7) eap: Calling submodule eap_tls to process data
   (7) eap_tls: Continuing EAP-TLS
   (7) eap_tls: Peer indicated complete TLS record size will be 7 bytes
   (7) eap_tls: Got complete TLS record (7 bytes)
   (7) eap_tls: [eaptls verify] = length included
   (7) eap_tls: <<< recv TLS 1.2  [length 0002]
   (7) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server
   done
   (7) eap_tls: ERROR: System call (I/O) error (-1)
   (7) eap_tls: ERROR: TLS receive handshake failed during operation
   (7) eap_tls: ERROR: [eaptls process] = fail
   (7) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
   failed

   But, when i replace the ${certdir}/server.key and ${certdir}/server.crt
   with the server certificate from the old server, x802.1 authentication
   works (why??)

   Can someone help me?
   Thanks!

More information about the Freeradius-Users mailing list