EAP/TLS TLS_accept error
henry1412
henry1412
Tue Dec 9 17:55:47 PST 2008
EAP/TLS TLS_accept error
Hi:
I want to build a IEEE 802.1x authentication environoment and
I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8, wpa_supplicant-0.4.8. The authentication server is built in redhat9 ,
the database is mysql5 and client is build in linux.
I can use EAP/MD5 authentication type and it runs well.
When I config EAP/TLS-MD5 type, the client cann't be authenticated.
I have referenced many similar ways to resolve it, but I am failed.
I list my configuration files and the debug information below.
Who can give me some suggestion, Thank your very much for your help !
A. IN FREERADIUS:
1. Using CA.all to generate certificats:
/CA.all
Get those new files:
cert-clt.der cert-clt.p12 cert-clt.pem
cert-srv.p12 cert-srv.pem newcert.pem
newreq.pem root.der root.p12 root.pem
The default protect password is whaterver
2. Generate Diffie-Hellman key named dh and random key named random
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
3. eap.conf
default_eap_type = tls
tls {
private_key_password = whatever
private_key_file = /etc/mycerts/cert-srv.pem
certificate_file = /etc/mycerts/cert-srv.pem
CA_file = /etc/mycerts/root.pem
dh_file = /etc/mycerts/dh
random_file = /etc/mycerts/random
fragment_size = 1024
include_length = yes
}
4. radius.conf
authorize {
preprocess
suffix
eap
files
sql
}
authenticate {
eap
}
5. users
DEFAULT Auth-Type = EAP
Fall-Through = 1
6. part of debug information
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0822], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0071], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
TLS_accept:failed in SSLv3 read client certificate A
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
TLS_accept:failed in SSLv3 read client certificate A
6533:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42
6533:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails
B. IN HOSTAPD
1. some debug information
RADIUS packet matching with station 00:13:d7:20:00:90
IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state FAIL
IEEE 802.1X: Sending EAP Packet to 00:13:d7:20:00:90 (identifier 4)
IEEE 802.1X: 00:13:d7:20:00:90 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:13:d7:20:00:90 AUTH_PAE entering state HELD
br0: STA 00:13:d7:20:00:90 IEEE 802.1X: authentication failed
IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state IDLE
C. IN WPA_SUPPLICANT
1. wired.conf
# IEEE 802.1X with EAP-TLS
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
eapol_version=1
network={
ssid=""
key_mgmt=IEEE8021X
eap=TLS
identity="test"
ca_cert="/root/root.pem"
client_cert="/root/cert-clt.pem"
private_key="/root/cert-clt.pem"
private_key_passwd="whatever"
eapol_flags=0
priority=2
}
2. some debug information
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 9 (certificate is not yet valid) depth 1
SSL: (where=0x4008 ret=0x22a)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad certificate
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20081210/735675d9/attachment-0001.htm
More information about the Hostap
mailing list