[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: 802.1x auth EAP-TLS problem
From:       Phil Mayers <p.mayers () imperial ! ac ! uk>
Date:       2011-06-28 8:40:39
Message-ID: 4E099387.2010407 () imperial ! ac ! uk
[Download RAW message or body]

On 06/28/2011 08:41 AM, Marco Londero wrote:
> Hi folks,
>
> I have a problem in my freeradius setup and I'm looking for some hints
> about that.
>
> Scenario:
>
> 1) GNU/Linux client w/ WPA supplicant configured to request access through
> EAP-TLS using a certificate (in order to achieve 802.1x ethernet
> authentication)
> 2) 802.1x enabled switch where client is connected
> 3) user/pass 802.1x authentication works fine (MSCHAPv2 based)
> 4) freeradius authenticates users on LDAP
>
> Freeradius debug log of the issue is here:

Debug logs should be a) not trimmed and b) gathered with "radiusd -X | 
tee log" for best effect. However:

>
> -------
> http://pastie.org/2132916
> -------
>
> All certificates should be ok (both on server and client):

Well, they're not. The debug says:

Mon Jun 27 15:42:13 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 
0566], Certificate
Mon Jun 27 15:42:13 2011 : Error: --> verify error:num=20:unable to get 
local issuer certificate
Mon Jun 27 15:42:13 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], 
fatal unknown_ca
Mon Jun 27 15:42:13 2011 : Error: TLS Alert write:fatal:unknown CA
Mon Jun 27 15:42:13 2011 : Error:     TLS_accept:error in SSLv3 read 
client certificate B
Mon Jun 27 15:42:13 2011 : Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Jun 27 15:42:13 2011 : Error: SSL: SSL_read failed in a system call 
(-1), TLS session fails.


Since you've trimmed the debug I can't see the config for your tls { } 
module, but you're missing a CA somewhere.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]