EAP-TLS host certificates

Vieri Di Paola vieridipaola at gmail.com
Tue Jan 26 14:30:46 CET 2021


Several years ago when Windows XP clients were around in my
organization I had successfully configured freeradius with EAP-TLS and
host certificates.

Now, most of my clients are Windows 10 and just a few Windows 7. They
can access with PEAP mschap-v2 via WiFi.

I am now trying to configure WiFi access with EAP-TLS and host certificates.

Please bear with me as I haven't handled freeradius for years now, and
I'm a bit rusty.

I already have a custom Signing Authority (ca.pem).
So, within /etc/raddb/certs I ran the following after adjusting the
corresponding *.cnf files:

# make server.pem
# make server.csr
# make inner-server.pem
# make client.pem

The Windows 10 client has imported both the CA in trusted roots and
the client certificate in the "local computer" store. I chose the
common name "PC2036" (see below).
The wireless connection is set up with a "smart card or other
certificate" (computer account).

When I try to connect I see this in the radiusd log (please let me
know if you need the full log):

(132) Received Access-Request Id 67 from to length 209
(132)   User-Name = "host/PC2036"
(132)   NAS-IP-Address =
(132)   NAS-Identifier = "10:be:f5:c9:ce:90"
(132)   NAS-Port = 0
(132)   Called-Station-Id = "10-BE-F5-C9-CE-98:HMprv"
(132)   Calling-Station-Id = "4C-1D-96-4E-48-0F"
(132)   Framed-MTU = 1400
(132)   NAS-Port-Type = Wireless-802.11
(132)   Connect-Info = "CONNECT 0Mbps 802.11b"
(132)   EAP-Message = 0x028a001201686f73742f484d414e32303336
(132)   Message-Authenticator = 0xc6775ce6e83151b7ecde4018fb87f5d8
(132) # Executing section authorize from file /etc/raddb/sites-enabled/default
(132)   authorize {
(132) ntdomain: Checking for prefix before "\"
(132) ntdomain: No '\' in User-Name = "host/PC2036", looking up realm NULL
(132) ntdomain: No such realm "NULL"
(132)     [ntdomain] = noop
(132)     [expiration] = noop
(132)     [logintime] = noop
(132)   } # authorize = updated
(132) Found Auth-Type = eap
(132) # Executing group from file /etc/raddb/sites-enabled/default
(132)   authenticate {
(132) eap: Peer sent packet with method EAP Identity (1)
(132) eap: Calling submodule eap_tls to process data
(132) eap_tls: Initiating new TLS session
(132) eap_tls: Setting verify mode to require certificate from client
(132) eap_tls: [eaptls start] = request
(132) eap: Sending EAP Request (code 1) ID 139 length 6
(132) eap: EAP session adding &reply:State = 0x007a782400f175f1
(132)     [eap] = handled
(132)   } # authenticate = handled
(132) Using Post-Auth-Type Challenge
(132) # Executing group from file /etc/raddb/sites-enabled/default
(132)   Challenge { ... } # empty sub-section is ignored
(132) Sent Access-Challenge Id 67 from to length 0
(132)   EAP-Message = 0x018b00060d20
(132)   Message-Authenticator = 0x00000000000000000000000000000000
(132)   State = 0x007a782400f175f114c01cbf42164dc9
(132) Finished request
Waking up in 4.9 seconds.
(132) Cleaning up request packet ID 67 with timestamp +2318
Ready to process requests

I then read this:

So I decided to replace the whole certificate directory just to make
sure the test certs work.

So I ran this:

# ./bootstrap
# make inner-server.pem

However, when I run the server I get an error reading its certificate.

# radiusd -X
tls: Failed reading private key file "/etc/raddb/certs/server.pem"
tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe
crypt error
tls: error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"

# ls -l /etc/raddb/certs/server.pem
-rw-r----- 1 root radius 3588 Jun 12  2020 /etc/raddb/certs/server.pem

freeradius v. 3.0.20

I'm sure this is a silly mistake on my behalf.

Any suggestions?


More information about the Freeradius-Users mailing list