Hi,
I'm running into an issue where FreeRADIUS allows an invalid certificate (one
not signed by my configured CA) to successfully authenticate to EAP-TLS.
There's a message in the log that clearly indicates that the CA wasn't found
(-- verify error:num=20:unable to get local issuer certificate) , yet my
authentication succeeds.
I'm using FreeRADIUS version 2.1.10 with a largely default configuration
(home-grown certificates).
I want this authentication to fail because the certificate that the client is
using was not signed by the CA that I have configured with the CA_file
directive, therefore it should be considered an invalid EAP-TLS attempt.
Has anyone seen this before?
I couldn't find any related messages in the FreeRADIUS archive.
Thanks,
Here's the log:
rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=39,
length=189
User-Name = AutomationUser
NAS-IP-Address = 192.168.19.12
NAS-Identifier = honeybutter
NAS-Port = 0
Called-Station-Id = 00-19-77-1F-8A-D1:HiveAP120-WPA2
Calling-Station-Id = 00-25-00-43-5E-13
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x0213014175746f6d6174696f6e55736572
Message-Authenticator = 0xebf0b398f32dc38984552b06634ef90e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = AutomationUser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 39 to 192.168.19.12 port 1035
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0xd2fcae5dd2fda306cc163ff247674563
Finished request 37.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=40,
length=352
User-Name = AutomationUser
NAS-IP-Address = 192.168.19.12
NAS-Identifier = honeybutter
NAS-Port = 0
Called-Station-Id = 00-19-77-1F-8A-D1:HiveAP120-WPA2
Calling-Station-Id = 00-25-00-43-5E-13
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x020100a40d80009a1603010095019103014cb5184f29200ee95888008e509e4cf7d61e39b9688acd0a179f3f12fd982b0356c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010112000a00080006001700180019000b00020100
State = 0xd2fcae5dd2fda306cc163ff247674563
Message-Authenticator = 0xbaf4c3763aa24c9f8ecb1bc1695bfbe4
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = AutomationUser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 164
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 154
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] TLS 1.0 Handshake [length 0095], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] TLS 1.0 Handshake [length 069f], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls]