subject:"EAP\/TLS TLS

Re: EAP/TLS TLS_accept error

2008-12-10 Thread Alan DeKok

henry1412 wrote:
I want to build a IEEE 802.1x authentication environoment and
I have installed freeradius-1.0.2,
 Why? It's outdated and has serious security flaws in EAP.
 I just do some testing with old version who had more documents. It seem
 the old version also can run well, but I cann't config them running. Can
 you give me some suggestion at these old version. 

  Upgrade.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS TLS_accept error

2008-12-10 Thread henry1412

Under my freeradius and ap current configuration, I can be success 
authenticated by windows xp client, but failed by linux client of 
wpa_supplicant-0.4.8. What's wrong with my setting? Is my wpa_supplicant 
version too old or my wpa_supplicant config file has some problem?
 -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS TLS_accept error

2008-12-10 Thread tnt

Under my freeradius and ap current configuration, I can be success 
authenticated by windows xp client, but failed by linux client of 
wpa_supplicant-0.4.8 What's wrong with my setting? Is my wpa_supplicant 
version too old or my wpa_supplicant config file has some problem?

And you are asking this on freeradius list because ...

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TLS TLS_accept error

2008-12-09 Thread henry1412

  
  EAP/TLS TLS_accept error 
Hi:
 
I want to build a IEEE 802.1x authentication environoment and 
I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8, 
wpa_supplicant-0.4.8. The authentication server is built in redhat9 ,
the database is mysql5 and client is build in linux.
 
I can use EAP/MD5 authentication type and it runs well.
When I config EAP/TLS-MD5 type, the client cann't be authenticated.
I have referenced many similar ways to resolve it, but I am failed.
 
I list my configuration files and the debug information below.
Who can give me some suggestion, Thank your very much for your help !
 
A. IN FREERADIUS:
 
1. Using CA.all to generate certificats:
/CA.all
Get those new files:
cert-clt.der cert-clt.p12 cert-clt.pem
cert-srv.p12 cert-srv.pem newcert.pem
newreq.pem root.der root.p12 root.pem
The default protect password is whaterver
2. Generate Diffie-Hellman key named dh and random key named random
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
3. eap.conf
default_eap_type = tls
tls {
private_key_password = whatever
private_key_file = /etc/mycerts/cert-srv.pem
certificate_file = /etc/mycerts/cert-srv.pem
CA_file = /etc/mycerts/root.pem
dh_file = /etc/mycerts/dh
random_file = /etc/mycerts/random
fragment_size = 1024
include_length = yes
}
4. radius.conf
authorize {
preprocess
suffix
eap
files
sql
}
authenticate {
eap
}
5. users
DEFAULT Auth-Type = EAP
Fall-Through = 1
6. part of debug information
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
(other): before/accept initialization 
TLS_accept: before/accept initialization 
  rlm_eap_tls:  TLS 1.0 Handshake [length 0061], ClientHello  
TLS_accept: SSLv3 read client hello A 
  rlm_eap_tls:  TLS 1.0 Handshake [length 004a], ServerHello  
TLS_accept: SSLv3 write server hello A 
  rlm_eap_tls:  TLS 1.0 Handshake [length 0822], Certificate  
TLS_accept: SSLv3 write certificate A 
  rlm_eap_tls:  TLS 1.0 Handshake [length 0071], CertificateRequest  
TLS_accept: SSLv3 write certificate request A 
TLS_accept: SSLv3 flush data 
TLS_accept:error in SSLv3 read client certificate A 
In SSL Handshake Phase 
In SSL Accept mode 
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls:  TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate 
TLS_accept:failed in SSLv3 read client certificate A 
TLS_accept: SSLv3 write server done A 
TLS_accept: SSLv3 flush data 
TLS_accept:error in SSLv3 read client certificate A 
rlm_eap_tls: Done initial handshake
  rlm_eap_tls:  TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate 
TLS_accept:failed in SSLv3 read client certificate A 
6533:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate:s3_pkt.c:1052:SSL alert number 42
6533:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake 
failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase 
In SSL Accept mode  
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails
 
B. IN HOSTAPD
 
1. some debug information
RADIUS packet matching with station 00:13:d7:20:00:90
IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state FAIL
IEEE 802.1X: Sending EAP Packet to 00:13:d7:20:00:90 (identifier 4)
IEEE 802.1X: 00:13:d7:20:00:90 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:13:d7:20:00:90 AUTH_PAE entering state HELD
br0: STA 00:13:d7:20:00:90 IEEE 802.1X: authentication failed
IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state IDLE
 
C. IN WPA_SUPPLICANT
 
1. wired.conf
# IEEE 802.1X with EAP-TLS
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
eapol_version=1
network={
 ssid=
 key_mgmt=IEEE8021X
 eap=TLS
 identity=test
 ca_cert=/root/root.pem
 client_cert=/root/cert-clt.pem
 private_key=/root/cert-clt.pem
 private_key_passwd=whatever
 eapol_flags=0
 priority=2
}
2. some debug information
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 9 (certificate is not yet valid) 
depth 1 
SSL: (where=0x4008 ret=0x22a)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad certificate
SSL: (where=0x1002 ret=0x)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending

Re: EAP/TLS TLS_accept error

2008-12-09 Thread John Dennis


henry1412 wrote:

I want to build a IEEE 802.1x authentication environoment and
I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8, 
wpa_supplicant-0.4.8. The authentication server is built in redhat9 ,

the database is mysql5 and client is build in linux.
Most of these software versions are very old. You may want to consider 
using current versions to mitigate your frustrations and minimize errors.


--
John Dennis [EMAIL PROTECTED]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS TLS_accept error

2008-12-09 Thread tnt

I want to build a IEEE 802.1x authentication environoment and
I have installed freeradius-1.0.2,

Why? It's outdated and has serious security flaws in EAP.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS TLS_accept error

Re: EAP/TLS TLS_accept error

Re: EAP/TLS TLS_accept error

EAP/TLS TLS_accept error

Re: EAP/TLS TLS_accept error

Re: EAP/TLS TLS_accept error

6 matches

Site Navigation

Mail list logo

Footer information