[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: AW: EAP TLS Server certificate error
From: Talkabout <talk.about () gmx ! de>
Date: 2020-03-23 16:16:48
Message-ID: 1Mqb1W-1jcG243doG-00mZ7e () mail ! gmx ! com
[Download RAW message or body]
Hi Thomas,
is it possible that the „old" certificate authority is trused on the Client but the \
new one is not? Have you installed the new CA on the Client machine?
Bye
Gesendet von Mail für Windows 10
Von: Thomas Manninger
Gesendet: Montag, 23. März 2020 16:45
An: freeradius-users@lists.freeradius.org
Betreff: EAP TLS Server certificate error
Hi Mailing list,
i installed freeradius on debian 9 for X802.1 authentication, which
should replace an old freeradius server.
For the new radius server, i generated a new CA for the client
certificates and deployed the certificate on some clients.
I also generated a certificate for the freeradius server (with the same
CA):
mods-enabled/eap:
tls-config tls-common {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
..
}
When a client tries to authenticate, i get the following radius output:
(7) auth_log: --> Mon Mar 23 15:42:14 2020
(7) [auth_log] = ok
(7) if (!EAP-Message) {
(7) if (!EAP-Message) -> FALSE
(7) else {
(7) eap: Peer sent EAP Response (code 2) ID 15 length 17
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) files_x802_1_cert_auth: users: Matched entry XXXXXX at line 163
(7) [files_x802_1_cert_auth] = ok
(7) } # else = updated
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/outer-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x5b409518594a9812
(7) eap: Finished EAP session with state 0xfcae8891ffa18542
(7) eap: Previous EAP request found for state 0xfcae8891ffa18542,
released from the list
(7) eap: Peer sent packet with method EAP TLS (13)
(7) eap: Calling submodule eap_tls to process data
(7) eap_tls: Continuing EAP-TLS
(7) eap_tls: Peer indicated complete TLS record size will be 7 bytes
(7) eap_tls: Got complete TLS record (7 bytes)
(7) eap_tls: [eaptls verify] = length included
(7) eap_tls: <<< recv TLS 1.2 [length 0002]
(7) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(7) eap_tls: ERROR: System call (I/O) error (-1)
(7) eap_tls: ERROR: TLS receive handshake failed during operation
(7) eap_tls: ERROR: [eaptls process] = fail
(7) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed
But, when i replace the ${certdir}/server.key and ${certdir}/server.crt
with the server certificate from the old server, x802.1 authentication
works (why??)
Can someone help me?
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic