FreeRADIUS EAP-TLS Auth. Issues
Alan DeKok
aland at deployingradius.com
Tue Jan 23 13:17:16 UTC 2024
On Jan 23, 2024, at 7:59 AM, SENECAUX Ludovic <Ludovic.SENECAUX at lenord.fr> wrote:
> I'm having an issue with FreeRADIUS 3.2.3 and the EAP module.
> It doesn't take into account my private PKI.
The server needs to be configured with the CA for any private PKI.
> I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work.
> I have no issues with FreeRADIUS 3.0.x
I don't think we changed anything about certificate handling for CAs. All of this magic is handled by OpenSSL.
> ca_file = ${cadir}/chain.pem
This file should contain the full CA chain in order. See the comments in mods-available/eap.
> lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem
> lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem
> -rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem
> -rw-r-----. 1 root radiusd 1818 Jan 23 10:17 rootca.pem
> -rw-r-----. 1 root radiusd 2293 Jan 23 10:17 subca.pem
The rootca and subca should be OK. The ca_path references them.
You may need to set "auto_chain = yes". See mods-available/eap.
> ...
> Certificate chain - 1 cert(s) untrusted
> (TLS) untrusted certificate with depth [1] subject name /CN=SubCA
> (TLS) untrusted certificate with depth [0] subject name /CN=device
Which certificates are those for? rootca.pem? subca.pem?
Alan DeKok.
More information about the Freeradius-Users
mailing list