On 06/28/2011 08:41 AM, Marco Londero wrote:
Hi folks,
I have a problem in my freeradius setup and I'm looking for some hints
about that.
Scenario:
1) GNU/Linux client w/ WPA supplicant configured to request access through
EAP-TLS using a certificate (in order to achieve 802.1x ethernet
authentication)
2) 802.1x enabled switch where client is connected
3) user/pass 802.1x authentication works fine (MSCHAPv2 based)
4) freeradius authenticates users on LDAP
Freeradius debug log of the issue is here:
Debug logs should be a) not trimmed and b) gathered with "radiusd -X |
tee log" for best effect. However:
-------
http://pastie.org/2132916
-------
All certificates should be ok (both on server and client):
Well, they're not. The debug says:
Mon Jun 27 15:42:13 2011 : Info: [tls] <<< TLS 1.0 Handshake [length
0566], Certificate
Mon Jun 27 15:42:13 2011 : Error: --> verify error:num=20:unable to get
local issuer certificate
Mon Jun 27 15:42:13 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002],
fatal unknown_ca
Mon Jun 27 15:42:13 2011 : Error: TLS Alert write:fatal:unknown CA
Mon Jun 27 15:42:13 2011 : Error: TLS_accept:error in SSLv3 read
client certificate B
Mon Jun 27 15:42:13 2011 : Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Jun 27 15:42:13 2011 : Error: SSL: SSL_read failed in a system call
(-1), TLS session fails.
Since you've trimmed the debug I can't see the config for your tls { }
module, but you're missing a CA somewhere.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html