FreeRADIUS EAP-TLS Auth. Issues
SENECAUX Ludovic
Ludovic.SENECAUX at lenord.fr
Tue Jan 23 12:59:16 UTC 2024
Hi,
I'm having an issue with FreeRADIUS 3.2.3 and the EAP module.
It doesn't take into account my private PKI.
I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work.
I have no issues with FreeRADIUS 3.0.x
My server is running RHEL 8 and my OpenSSL version is 1.1.1K
Thanks for your help,
Regards,
--
> mods-enabled/eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/chain.pem
ca_path = ${cadir}
reject_unknown_intermediate_ca = no
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = ""
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = yes
override_cert_url = no
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
> ls -l certs
total 32
lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem
lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem
-rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem
-rw-r-----. 1 root radiusd 1818 Jan 23 10:17 rootca.pem
-rw-r-----. 1 root radiusd 2293 Jan 23 10:17 subca.pem
-rw-r-----. 1 root radiusd 1704 Jan 23 10:18 server.key
-rw-r-----. 1 root radiusd 8567 Jan 23 10:18 server.pem
> debug (if reject_unknown_intermediate_ca = yes)
[...]
Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name /CN=SubCA
(TLS) untrusted certificate with depth [0] subject name /CN=device
tls: There are untrusted certificates in the certificate chain. Rejecting.
(10) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error
(10) eap_tls: ERROR: (TLS) Alert write:fatal:internal error
(10) eap_tls: ERROR: (TLS) Server : Error in error
(10) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
(10) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(10) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(10) eap_tls: ERROR: [eaptls process] = fail
(10) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(10) eap: Sending EAP Failure (code 4) ID 26 length 4
(10) eap: Failed in EAP select
(10) [eap] = invalid
(10) } # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
[...]
More information about the Freeradius-Users
mailing list