[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: 802.1x auth EAP-TLS problem
From: Phil Mayers <p.mayers () imperial ! ac ! uk>
Date: 2011-06-28 8:40:39
Message-ID: 4E099387.2010407 () imperial ! ac ! uk
[Download RAW message or body]
On 06/28/2011 08:41 AM, Marco Londero wrote:
> Hi folks,
>
> I have a problem in my freeradius setup and I'm looking for some hints
> about that.
>
> Scenario:
>
> 1) GNU/Linux client w/ WPA supplicant configured to request access through
> EAP-TLS using a certificate (in order to achieve 802.1x ethernet
> authentication)
> 2) 802.1x enabled switch where client is connected
> 3) user/pass 802.1x authentication works fine (MSCHAPv2 based)
> 4) freeradius authenticates users on LDAP
>
> Freeradius debug log of the issue is here:
Debug logs should be a) not trimmed and b) gathered with "radiusd -X |
tee log" for best effect. However:
>
> -------
> http://pastie.org/2132916
> -------
>
> All certificates should be ok (both on server and client):
Well, they're not. The debug says:
Mon Jun 27 15:42:13 2011 : Info: [tls] <<< TLS 1.0 Handshake [length
0566], Certificate
Mon Jun 27 15:42:13 2011 : Error: --> verify error:num=20:unable to get
local issuer certificate
Mon Jun 27 15:42:13 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002],
fatal unknown_ca
Mon Jun 27 15:42:13 2011 : Error: TLS Alert write:fatal:unknown CA
Mon Jun 27 15:42:13 2011 : Error: TLS_accept:error in SSLv3 read
client certificate B
Mon Jun 27 15:42:13 2011 : Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Jun 27 15:42:13 2011 : Error: SSL: SSL_read failed in a system call
(-1), TLS session fails.
Since you've trimmed the debug I can't see the config for your tls { }
module, but you're missing a CA somewhere.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic