EAP TLS Server certificate error

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

EAP TLS Server certificate error

Thomas Manninger
   Hi Mailing list,

   i installed freeradius on debian 9 for X802.1 authentication, which
   should replace an old freeradius server.

   For the new radius server, i generated a new CA for the client
   certificates and deployed the certificate on some clients.
   I also generated a certificate for the freeradius server (with the same
   CA):
   mods-enabled/eap:

   tls-config tls-common {
       certdir = ${confdir}/certs
       cadir = ${confdir}/certs
       private_key_file = ${certdir}/server.key
       certificate_file = ${certdir}/server.crt
       dh_file = ${certdir}/dh
       ca_path = ${cadir}
       check_cert_cn = %{User-Name}
       cipher_list = "DEFAULT"
   ..
   }

   When a client tries to authenticate, i get the following radius output:
   (7) auth_log:    --> Mon Mar 23 15:42:14 2020
   (7)     [auth_log] = ok
   (7)     if (!EAP-Message) {
   (7)     if (!EAP-Message)  -> FALSE
   (7)     else {
   (7) eap: Peer sent EAP Response (code 2) ID 15 length 17
   (7) eap: No EAP Start, assuming it's an on-going EAP conversation
   (7)       [eap] = updated
   (7) files_x802_1_cert_auth: users: Matched entry XXXXXX at line 163
   (7)       [files_x802_1_cert_auth] = ok
   (7)     } # else = updated
   (7)   } # authorize = updated
   (7) Found Auth-Type = eap
   (7) # Executing group from file
   /etc/freeradius/3.0/sites-enabled/outer-tunnel
   (7)   authenticate {
   (7) eap: Expiring EAP session with state 0x5b409518594a9812
   (7) eap: Finished EAP session with state 0xfcae8891ffa18542
   (7) eap: Previous EAP request found for state 0xfcae8891ffa18542,
   released from the list
   (7) eap: Peer sent packet with method EAP TLS (13)
   (7) eap: Calling submodule eap_tls to process data
   (7) eap_tls: Continuing EAP-TLS
   (7) eap_tls: Peer indicated complete TLS record size will be 7 bytes
   (7) eap_tls: Got complete TLS record (7 bytes)
   (7) eap_tls: [eaptls verify] = length included
   (7) eap_tls: <<< recv TLS 1.2  [length 0002]
   (7) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server
   done
   (7) eap_tls: ERROR: System call (I/O) error (-1)
   (7) eap_tls: ERROR: TLS receive handshake failed during operation
   (7) eap_tls: ERROR: [eaptls process] = fail
   (7) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
   failed

   But, when i replace the ${certdir}/server.key and ${certdir}/server.crt
   with the server certificate from the old server, x802.1 authentication
   works (why??)

   Can someone help me?
   Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

AW: EAP TLS Server certificate error

Talkabout
Hi Thomas,

is it possible that the „old“ certificate authority is trused on the Client but the new one is not? Have you installed the new CA on the Client machine?

Bye

Gesendet von Mail für Windows 10

Von: Thomas Manninger
Gesendet: Montag, 23. März 2020 16:45
An: [hidden email]
Betreff: EAP TLS Server certificate error

   Hi Mailing list,

   i installed freeradius on debian 9 for X802.1 authentication, which
   should replace an old freeradius server.

   For the new radius server, i generated a new CA for the client
   certificates and deployed the certificate on some clients.
   I also generated a certificate for the freeradius server (with the same
   CA):
   mods-enabled/eap:

   tls-config tls-common {
       certdir = ${confdir}/certs
       cadir = ${confdir}/certs
       private_key_file = ${certdir}/server.key
       certificate_file = ${certdir}/server.crt
       dh_file = ${certdir}/dh
       ca_path = ${cadir}
       check_cert_cn = %{User-Name}
       cipher_list = "DEFAULT"
   ..
   }

   When a client tries to authenticate, i get the following radius output:
   (7) auth_log:    --> Mon Mar 23 15:42:14 2020
   (7)     [auth_log] = ok
   (7)     if (!EAP-Message) {
   (7)     if (!EAP-Message)  -> FALSE
   (7)     else {
   (7) eap: Peer sent EAP Response (code 2) ID 15 length 17
   (7) eap: No EAP Start, assuming it's an on-going EAP conversation
   (7)       [eap] = updated
   (7) files_x802_1_cert_auth: users: Matched entry XXXXXX at line 163
   (7)       [files_x802_1_cert_auth] = ok
   (7)     } # else = updated
   (7)   } # authorize = updated
   (7) Found Auth-Type = eap
   (7) # Executing group from file
   /etc/freeradius/3.0/sites-enabled/outer-tunnel
   (7)   authenticate {
   (7) eap: Expiring EAP session with state 0x5b409518594a9812
   (7) eap: Finished EAP session with state 0xfcae8891ffa18542
   (7) eap: Previous EAP request found for state 0xfcae8891ffa18542,
   released from the list
   (7) eap: Peer sent packet with method EAP TLS (13)
   (7) eap: Calling submodule eap_tls to process data
   (7) eap_tls: Continuing EAP-TLS
   (7) eap_tls: Peer indicated complete TLS record size will be 7 bytes
   (7) eap_tls: Got complete TLS record (7 bytes)
   (7) eap_tls: [eaptls verify] = length included
   (7) eap_tls: <<< recv TLS 1.2  [length 0002]
   (7) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server
   done
   (7) eap_tls: ERROR: System call (I/O) error (-1)
   (7) eap_tls: ERROR: TLS receive handshake failed during operation
   (7) eap_tls: ERROR: [eaptls process] = fail
   (7) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
   failed

   But, when i replace the ${certdir}/server.key and ${certdir}/server.crt
   with the server certificate from the old server, x802.1 authentication
   works (why??)

   Can someone help me?
   Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html