EAP-TLS not working with ECC Keys

n5d9xq3ti233xiyif2vp at pm.me n5d9xq3ti233xiyif2vp at pm.me
Thu Sep 19 09:35:25 UTC 2024 

Hi

What am I missing to get EAP working both radius server and clients having ECC (P521) keys ?

Running freeradius in the foreground shows me this:
(8) eap_tls: (TLS) EAP Peer says that the final record size will be 378 bytes                                                   
(8) eap_tls: (TLS) EAP Got all data (378 bytes)                                                                                 
(8) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello                                                                          
(8) eap_tls: (TLS) Handshake state - Server SSLv3 read client hello A                                                           
(8) eap_tls: (TLS) send TLS 1.3 Handshake, ServerHello                                                                          
(8) eap_tls: (TLS) Handshake state - Server SSLv3 write server hello A                                                          
(8) eap_tls: (TLS) send TLS 1.3 Handshake, type=8                                                                               
(8) eap_tls: (TLS) send TLS 1.3 Handshake, CertificateRequest                                                                   
(8) eap_tls: (TLS) Handshake state - Server SSLv3 write certificate request A                                                   
(8) eap_tls: (TLS) send TLS 1.3 Alert, fatal handshake_failure                                                                  
(8) eap_tls: ERROR: (TLS) Server : Error in SSLv3 write certificate A                                                           
(8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL                                                                           
(8) eap_tls: ERROR: (TLS) error:1402D0FB:SSL routines:ACCEPT_SW_CERT:unknown pkey type                                          
(8) eap_tls: ERROR: (TLS) error:14FFF0A8:SSL routines:(UNKNOWN)SSL_internal:missing rsa certificate                             
(8) eap_tls: ERROR: (TLS) System call (I/O) error (-1)                                                                          
(8) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation  



"missing rsa certificate" is the bit that jumps out at me.


My /etc/raddb/mods-available/eap file looks like the following:
eap {
        default_eap_type = tls
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}
        tls-config tls-common {
                private_key_password = THIS_HAS_BEEN_REMOVED_TO_PROTECT_THE_INNOCENT
                private_key_file = /etc/foobar/wifi/cert-out.key
                certificate_file = /etc/foobar/wifi/cert-out.crt
                ca_file = /etc/foobar/wifi/ca-chain.pem
                dh_file =  /etc/foobar/wifi/dh.pem
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
                cipher_server_preference = no
                tls_min_version = "1.2"
                tls_max_version = "1.3"
                ecdh_curve = "secp521r1"
                cache {
                        enable = no
                        store {
                                Tunnel-Private-Group-Id
                        }
                }
                verify {
                }
                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }
        tls {
                tls = tls-common
        }
}

More information about the Freeradius-Users mailing list