EAP-TLS Auth. Issues

SENECAUX Ludovic Ludovic.SENECAUX at lenord.fr
Tue Jan 23 13:03:35 UTC 2024 

Hi,



I'm having an issue with FreeRADIUS 3.2.3 and the EAP module.

It doesn't take into account my private PKI.

I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work.

I have no issues with FreeRADIUS 3.0.x

My server is running RHEL 8 and my OpenSSL version is 1.1.1K



Thanks for your help,



Regards,



--



> mods-enabled/eap

eap {

default_eap_type = md5

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

max_sessions = ${max_requests}

md5 {

}

gtc {

auth_type = PAP

}

tls-config tls-common {

private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem ca_file = ${cadir}/chain.pem ca_path = ${cadir} reject_unknown_intermediate_ca = no cipher_list = "DEFAULT"

cipher_server_preference = no

tls_min_version = "1.2"

tls_max_version = "1.2"

ecdh_curve = ""

cache {

enable = no

store {

Tunnel-Private-Group-Id

}

}

verify {

}

ocsp {

enable = yes

override_cert_url = no

url = "http://127.0.0.1/ocsp/"

}

}

tls {

tls = tls-common

}

ttls {

tls = tls-common

default_eap_type = md5

copy_request_to_tunnel = no

use_tunneled_reply = no

virtual_server = "inner-tunnel"

}

peap {

tls = tls-common

default_eap_type = mschapv2

copy_request_to_tunnel = no

use_tunneled_reply = no

virtual_server = "inner-tunnel"

}

mschapv2 {

}

}



> ls -l certs

total 32

lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem -rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem -rw-r-----. 1 root radiusd 1818 Jan 23 10:17 rootca.pem -rw-r-----. 1 root radiusd 2293 Jan 23 10:17 subca.pem -rw-r-----. 1 root radiusd 1704 Jan 23 10:18 server.key -rw-r-----. 1 root radiusd 8567 Jan 23 10:18 server.pem



> debug (if reject_unknown_intermediate_ca = yes)

[...]

Certificate chain - 1 cert(s) untrusted

(TLS) untrusted certificate with depth [1] subject name /CN=SubCA

(TLS) untrusted certificate with depth [0] subject name /CN=device

tls: There are untrusted certificates in the certificate chain. Rejecting.

(10) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error

(10) eap_tls: ERROR: (TLS) Alert write:fatal:internal error

(10) eap_tls: ERROR: (TLS) Server : Error in error

(10) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

(10) eap_tls: ERROR: (TLS) System call (I/O) error (-1)

(10) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation

(10) eap_tls: ERROR: [eaptls process] = fail

(10) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed

(10) eap: Sending EAP Failure (code 4) ID 26 length 4

(10) eap: Failed in EAP select

(10) [eap] = invalid

(10) } # authenticate = invalid

(10) Failed to authenticate the user

(10) Using Post-Auth-Type Reject

[...]

More information about the Freeradius-Users mailing list