-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hello,
i have a problem with the crl list in the EAP-TLS auth
EAP-TLS works with my user certs
if check_crl = yes in the eap.conf
all certs a reject
-
-----------------------------------------log-----------------------------------------------------------------
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 02e1], Certificate
- --> verify error:num=3:unable to get certificate CRL
chain-depth=0,
error=3
- --> User-Name = note1
- --> BUF-Name = note1
- --> subject = /C=DE/ST=Sachsen-Anhalt/L=Halberstadt/O=Neue Medien und Netzwerke
GbR/CN=note1/[EMAIL PROTECTED]
- --> issuer = /C=DE/ST=Sachsen-Anhalt/L=Halberstadt/O=Neue Medien und Netzwerke
GbR/OU=Funklan CA/CN=Funklan CA/[EMAIL PROTECTED]
- --> verify return:0
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
19229:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned:s3_srvr.c:2010:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 0 to 192.168.0.15:49152
EAP-Message = 0x010500110d800000000715030100020230
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50f4f705a040bb56d46013697986ce24
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.0.15:49152, id=1, length=171
User-Name = "note1"
NAS-IP-Address = 192.168.0.15
Called-Station-Id = "00-01-CD-0B-26-AE"
Calling-Station-Id = "00-02-2D-4A-DB-7E"
NAS-Identifier = "HFL-APC-GWS1"
NAS-Port = 0
Framed-MTU = 1492
State = 0x50f4f705a040bb56d46013697986ce24
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500060d00
Message-Authenticator = 0xb6fae714f40c757bb2457ed05bf07f08
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "note1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack alert
eaptls_verify returned 4
eaptls_process returned 4
rlm_eap: Handler failed in EAP/tls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 5 seconds...
- --- Walking the entire request list ---
Sending Access-Reject of id 1 to 192.168.0.15:49152
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
-
----------------------------------------log------------------------------------------------
the cacert.pm and the crl.pem are same directory
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAkFIDOcACgkQnNdYap7KChnsVgCeIMNUgZv92i7sCAabSWTkW8KU
XawAoMPrTQi+UZ8KQEaZWecja3Aoa2WV
=ysbZ
-----END PGP SIGNATURE-----
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
