FreeRADIUS EAP-TLS Auth. Issues

SENECAUX Ludovic Ludovic.SENECAUX at lenord.fr
Tue Jan 23 15:30:50 UTC 2024


It is the same virtual machine.

I reinstalled FR 3.0.20, and I saw the "reject_unknown_intermediate_ca" parameter does not exist in this version. 
If I add this to eap configuration, it is not loaded during server starts.
So, is the value 'yes' implicit in this branch ?





-----Message d'origine-----
De : Freeradius-Users <freeradius-users-bounces+ludovic.senecaux=lenord.fr at lists.freeradius.org> De la part de Alan DeKok
Envoyé : mardi 23 janvier 2024 16:03
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Objet : Re: FreeRADIUS EAP-TLS Auth. Issues

Soyez vigilant, ce courriel est émis depuis l'extérieur. N'ouvrez les fichiers ou cliquez sur les liens que si vous êtes sûr de l'adresse mail de l'expéditeur.


On Jan 23, 2024, at 9:54 AM, SENECAUX Ludovic <Ludovic.SENECAUX at lenord.fr> wrote:
>
> I checked again my 2 radius servers ; if I set " reject_unknown_intermediate_ca = yes" :
> - 3.0.20 (PROD) : eap-tls auth. is ok
> - 3.2.3 (DEV): eap-tls auth. is broken
>
> Same OS version, same OpenSSL version, same Radius config.

  That's unfortunate.

  Looking at the two versions, the TLS code is in src/main/cb.c, and src/main/tls.c

  The "cb.c" file is identical to v3.0, other than some changes to the debug output.

  The "tls.c" file shows a few more differences, but those are largely debug output changes, or new features which don't affect certificate validation.

  I'd double-check the systems.  If this the same machine and the two versions of FreeRADIUS are different, then the issue is FreeRADIUS.

  If the two systems are different (magically somehow), then maybe there's some other OpenSSL issue which is causing the difference.  i.e. it's not enough to say "same version of OpenSSL".  There's all kinds of magic going on behind the scenes that I'm not aware of, such as vendor patches to code, configuration, etc.

  Also, please check that you're running packages from https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOc46Ydi7tsNu-y7ZlHKuUT2zKvdC322jEwJV9nTCVEls1gpUhGmsnt_KvOlv6HGC5XImI3VSC2Mww2Z99zB5-JYevtKuACK0sMrJoZW4VlQ&i=SGI0YVJGNmxZNE90Z2thMHUqf211Ac0_eZEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa-wfQVJAz4cSZo8ajYFEQJS9Mg1tLP1Y6JyrFHqjZpP&s=7f44f398cfa94e6d495051f328704e0a70436889fe38d4fed89d51186e09487c&u=http%3A%2F%2Fpackages.networkradius.com  If you're running packages supplied by the OS vendor, those are very often patched and different (i.e. broken) in odd ways.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOc46Ydi7tsNu-y7ZlHKuUT2zKvdC322jEwJV9nTCVEls1gpUhGmsnt_KvOlv6HGC5XImI3VSC2Mww2Z99zB5-JYevtKuACK0sMrJoZW4VlQ&i=SGI0YVJGNmxZNE90Z2thMHUqf211Ac0_eZEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa-wfQVJAz4cSZo8ajYFEQJS9Mg1tLP1Y6JyrFHqjZpP&s=f839259a932aa7edfc13e7e52f10ae51efd186df426c3b2caa77b67b533372f8&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html


More information about the Freeradius-Users mailing list