FreeRADIUS EAP-TLS Auth. Issues

SENECAUX Ludovic Ludovic.SENECAUX at lenord.fr
Tue Jan 23 13:51:52 UTC 2024 

I set "auto_chain = yes" ; the result is the same.

> ca_file = ${cadir}/chain.pem
This file already contains rootca and subca certificates.

>> Certificate chain - 1 cert(s) untrusted
>> (TLS) untrusted certificate with depth [1] subject name /CN=SubCA
>> (TLS) untrusted certificate with depth [0] subject name /CN=device
>  Which certificates are those for?  rootca.pem?  subca.pem?

The device cert is signed by subca, which is signed by rootca.

Rgds,


-----Message d'origine-----
De : Freeradius-Users <freeradius-users-bounces+ludovic.senecaux=lenord.fr at lists.freeradius.org> De la part de Alan DeKok
Envoyé : mardi 23 janvier 2024 14:17
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Objet : Re: FreeRADIUS EAP-TLS Auth. Issues

Soyez vigilant, ce courriel est émis depuis l'extérieur. N'ouvrez les fichiers ou cliquez sur les liens que si vous êtes sûr de l'adresse mail de l'expéditeur.


On Jan 23, 2024, at 7:59 AM, SENECAUX Ludovic <Ludovic.SENECAUX at lenord.fr> wrote:
> I'm having an issue with FreeRADIUS 3.2.3 and the EAP module.
> It doesn't take into account my private PKI.

  The server needs to be configured with the CA for any private PKI.

> I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work.
> I have no issues with FreeRADIUS 3.0.x

  I don't think we changed anything about certificate handling for CAs.  All of this magic is handled by OpenSSL.

> ca_file = ${cadir}/chain.pem

  This file should contain the full CA chain in order.  See the comments in mods-available/eap.

> lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem 
> lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem 
> -rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem -rw-r-----. 1 
> root radiusd 1818 Jan 23 10:17 rootca.pem -rw-r-----. 1 root radiusd 
> 2293 Jan 23 10:17 subca.pem

  The rootca and subca should be OK.  The ca_path references them.

  You may need to set "auto_chain = yes".  See mods-available/eap.

> ...
> Certificate chain - 1 cert(s) untrusted
> (TLS) untrusted certificate with depth [1] subject name /CN=SubCA
> (TLS) untrusted certificate with depth [0] subject name /CN=device

  Which certificates are those for?  rootca.pem?  subca.pem?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See https://antiphishing.vadesecure.com/v4?f=M1hxaWZ5bnNuVExjSWtSa0Uu8Ud3bdVzDR9hR1FecN47NdlULL43eDe7omPt0PqK-NtaszTZtxP8_RdhFJLUBQCqSVzloi3sfRGAenJYekZXiRnssB2X3-kT6goCIM70&i=YVdEbUdjdUhGSnlic1ZwZQUN05Q3R1oYerUb7AUY1ak&k=ktYE&r=eG95dVIxWktuNGdHSkhZcKvh5IuSt66xTJ34RvYXVLTErsBH5GH7h0xDXEQ4BfE2&s=12184aae9d2253f8a7ac8347494b23959d685ab553398fe6b23fecfbe895e86b&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html

More information about the Freeradius-Users mailing list