RE: EAP-TLS Certificate problems.
Got it up and running. Partially your help, and partially me going and forcefully breaking something to see what errors cropped up. Renamed the original PEM directory in OpenSSL and all sorts of errors popped up that led me to the discovery it was still using the DemoCA's CA to make the client and server certs, and not the CA created by the script. I've since got that fixed and it all works perfect now. Best way to fix a noncritial is to break it and see what goes really wrong! ;) Thanks, Brian. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jason- Wittlin-Cohen Sent: Monday, October 09, 2006 1:45 PM To: freeradius-users@lists.freeradius.org Subject: RE: EAP-TLS Certificate problems. Date: Mon, 9 Oct 2006 11:26:51 -0400 From: Brian vb [EMAIL PROTECTED] Subject: RE: EAP-TLS Certificate problems. To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Recreated certs, same issue came with the Issuer field. XPExtensions are used. Password is the same in this file an what Freeradius has just changed to protect it. Here is the batch file I'm using to create the certs. I don't see anything amiss between it and the page you sent.. any ideas? PATH=C:\openssl\bin;C:\ssl1;%path% export LD_LIBRARY_PATH=C:\openssl\lib CD\SSL1 REM CA Creation C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 - cacerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out root.der I'm not sure what you're doing here. First, C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved You're outputting the private key and public key to the same file. I'm not sure if this will include both in the same file, or only create one. Regardless, it's not what you want to do. Give the files unique names. The clients and server need the public key and only the certificate signing machine needs the private key. You don't want to combine the keys. To create a CA: openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf Also, why are you creating a p12 file for the CA? You certainly don't want to hand out the private key to clients, and for certificate signing, you only need the private key which can be stored in cakey.pem for example. Clients should be given cacert.pem or cacert.der depending on the format you use. The p12 format should only be used for client certs because those need to combine private key + certificate (at least for the MS supplicant). REM Client cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved Again, -keyout is used to creaate the private key, and -out to create the certificate signing request which is then passed on to the CA later. You're using the same filename, so I have no idea what's happening. Either you have a certificate signing request and no key, or a key without a signing request. Either way, it won't work. You need to do something like this: openssl req -new -keyout client_key.pem \ -out client_req.pem -days 730 -config ./openssl.cnf Notice that the key and the signing request are given different names. C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem - passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext - extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem - out cert-clt.der So, you convert from a PEM certificate and PEM key, to a P12 cert+key, to a PEM cert+key to DER cert+key. Why? The P12 cert+key will work fine. REM Server Cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved Again, the key and certificate signing request must be given different names or else your setup will fail. C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem - passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext - extfile
RE: EAP-TLS Certificate problems.
Recreated certs, same issue came with the Issuer field. XPExtensions are used. Password is the same in this file an what Freeradius has just changed to protect it. Here is the batch file I'm using to create the certs. I don't see anything amiss between it and the page you sent.. any ideas? PATH=C:\openssl\bin;C:\ssl1;%path% export LD_LIBRARY_PATH=C:\openssl\lib CD\SSL1 REM CA Creation C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out root.der REM Client cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der REM Server Cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jason Wittlin-Cohen Sent: Monday, October 09, 2006 12:12 AM To: freeradius-users@lists.freeradius.org Subject: EAP-TLS Certificate problems. Brian vb said: Ca is in trusted root stores under Current User, and client is in Personal under Current User. One thing I see when viewing the certs is the Root has Locker Systems (using a random name to keep the identity of my company out of the certs) as the issuer and the client has SSLeay Demoserver.. looks like OpenSSL didn't make the certs right for some odd reason.. its like it used its own CA root or something else happened. I will recreate the certs but I'm quite sure I entered the same data in all certs except commonname which I made the same as the machine the cert will reside on. Root ca common name didn't match any machine name. Where should the CA be? Machine or User? First, when you create the server and client certificates you need to use the Microsoft attributes for Server and Client authentication. [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 I would suggest following the instructions here: http://www.linuxjournal.com/node/8095/print The howto is for setup of Freeradius on Linux, but it should be similar on Windows because it's the OpenSSL commands that matter when creating the certs. In order to find out if the certificate is correct, you can double click the certifcate in the Personal store and go to Certification Path. You should see the certificate common name as well as the common name of your Root CA. If you don't something is wrong. You should also see This certificate is OK in the Certificate status box. If this isn't the case, either the certificate was signed by the wrong CA, or the Root CA wasn't properly loaded into the User Trusted Root Certificate Authorities store. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
Message: 7 Date: Mon, 9 Oct 2006 11:26:51 -0400 From: Brian vb [EMAIL PROTECTED] Subject: RE: EAP-TLS Certificate problems. To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Recreated certs, same issue came with the Issuer field. XPExtensions are used. Password is the same in this file an what Freeradius has just changed to protect it. Here is the batch file I'm using to create the certs. I don't see anything amiss between it and the page you sent.. any ideas? PATH=C:\openssl\bin;C:\ssl1;%path% export LD_LIBRARY_PATH=C:\openssl\lib CD\SSL1 REM CA Creation C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out root.der I'm not sure what you're doing here. First, C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved You're outputting the private key and public key to the same file. I'm not sure if this will include both in the same file, or only create one. Regardless, it's not what you want to do. Give the files unique names. The clients and server need the public key and only the certificate signing machine needs the private key. You don't want to combine the keys. To create a CA: openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf Also, why are you creating a p12 file for the CA? You certainly don't want to hand out the private key to clients, and for certificate signing, you only need the private key which can be stored in cakey.pem for example. Clients should be given cacert.pem or cacert.der depending on the format you use. The p12 format should only be used for client certs because those need to combine private key + certificate (at least for the MS supplicant). REM Client cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved Again, -keyout is used to creaate the private key, and -out to create the certificate signing request which is then passed on to the CA later. You're using the same filename, so I have no idea what's happening. Either you have a certificate signing request and no key, or a key without a signing request. Either way, it won't work. You need to do something like this: openssl req -new -keyout client_key.pem \ -out client_req.pem -days 730 -config ./openssl.cnf Notice that the key and the signing request are given different names. C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der So, you convert from a PEM certificate and PEM key, to a P12 cert+key, to a PEM cert+key to DER cert+key. Why? The P12 cert+key will work fine. REM Server Cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved Again, the key and certificate signing request must be given different names or else your setup will fail. C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -extfile xpexts -infiles newreq.pem Do you need these steps? Freeradius will use a seperate certificate and key in PEM format. It works fine for me. It seems like your setup is overly complex. Keep it simple, and see if it works. Then you can change file formats- etc. For now, just make the changes I recommended and see if it gives you a working CA and client/server certificates. C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der Jason Wittlin-Cohen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
Date: Mon, 9 Oct 2006 11:26:51 -0400 From: Brian vb [EMAIL PROTECTED] Subject: RE: EAP-TLS Certificate problems. To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Recreated certs, same issue came with the Issuer field. XPExtensions are used. Password is the same in this file an what Freeradius has just changed to protect it. Here is the batch file I'm using to create the certs. I don't see anything amiss between it and the page you sent.. any ideas? PATH=C:\openssl\bin;C:\ssl1;%path% export LD_LIBRARY_PATH=C:\openssl\lib CD\SSL1 REM CA Creation C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out root.der I'm not sure what you're doing here. First, C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved You're outputting the private key and public key to the same file. I'm not sure if this will include both in the same file, or only create one. Regardless, it's not what you want to do. Give the files unique names. The clients and server need the public key and only the certificate signing machine needs the private key. You don't want to combine the keys. To create a CA: openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf Also, why are you creating a p12 file for the CA? You certainly don't want to hand out the private key to clients, and for certificate signing, you only need the private key which can be stored in cakey.pem for example. Clients should be given cacert.pem or cacert.der depending on the format you use. The p12 format should only be used for client certs because those need to combine private key + certificate (at least for the MS supplicant). REM Client cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved Again, -keyout is used to creaate the private key, and -out to create the certificate signing request which is then passed on to the CA later. You're using the same filename, so I have no idea what's happening. Either you have a certificate signing request and no key, or a key without a signing request. Either way, it won't work. You need to do something like this: openssl req -new -keyout client_key.pem \ -out client_req.pem -days 730 -config ./openssl.cnf Notice that the key and the signing request are given different names. C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der So, you convert from a PEM certificate and PEM key, to a P12 cert+key, to a PEM cert+key to DER cert+key. Why? The P12 cert+key will work fine. REM Server Cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved Again, the key and certificate signing request must be given different names or else your setup will fail. C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -extfile xpexts -infiles newreq.pem Do you need these steps? Freeradius will use a seperate certificate and key in PEM format. It works fine for me. It seems like your setup is overly complex. Keep it simple, and see if it works. Then you can change file formats- etc. For now, just make the changes I recommended and see if it gives you a working CA and client/server certificates. C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der Jason Wittlin-Cohen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
Hi, I'm trying to get Freeradius up and running on a WinXP box (win haters. be nice ;) ) I have downloaded, installed, and configured the Freeradius version from www.freeradius.net. The server starts seemingly without errors. However when I try to connect with my XP laptop I get a certificate error on the radius systems log. I have created 3 certificates, Root, Client, Server. The Root and Client certificates were installed via the MMC snapin and Import wizard in XP. Any idea on what could be causing the errors? If I need to post file contents, let me know which ones. Using EAP-TLS(cert based) not EAP-TTLS(user-pass based). Xp laptop is stuck at Attempting to Authenticate. Welcome to the Freeradius mailing list, and thank you for providing debug log to help us sort out this issue. The debug information will tell you exactly why it's being rejected (i.e. no certificate was sent, certificate was signed by another CA). I believe I know what's going wrong. The CA public cert should be stored in the Trusted Root Certification Authorities certificate store. If it's anywhere else, Windows won't authenticate the server and it will look like it's failing- when it's doing what you asked it to do. In this scenario you won't see any error output from Freeradius because Windows has stopped attempting to connect. Your user public certificate must be stored in either your User or Machine Account Personal Certificate store (this is the first option in the snap-in). Also, if you have more than one certificate in your personal store, do not use simply certificate selection. Windows will choose the one highest in the list (It did for me). Manually select the certificate you want to use. Read this howto and follow the Configuring Windows XP Clients guide. It will tell you exactly what to do. See http://www.linuxjournal.com/node/8151/print Here is what's happening currently: Error 1 is seen if I have Validate Server Certificate check on the XP Laptop. --Error 1-- Sat Oct 7 19:35:58 2006 : Error: TLS_accept:error in SSLv3 read client certificate A -- When you enable Server verification, Windows checks to see if the server's certificate is signed by a trusted Root CA that you specify. Since you didn't install the CA to the Trusted Root Certificate Authorities certificate store, the Windows supplicant refuses to continue authenticating and Freeradius has nothing to do. This error doesn't actually mean anything. I see it when I have a successful login. You're not seeing an error- which means the problem is on the client side. This can be remedied by installing your Root CA in the Trusted Root Certification Authorities certificate store. Here's a successful authenticaiton from my radiusd.log. You'll notice the read client certificate A error. It can safely be ignored. Sun Oct 8 03:13:56 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Sun Oct 8 03:13:56 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Sun Oct 8 03:13:56 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Sun Oct 8 03:13:56 2006 : Auth: Login OK: [Jason Wittlin-Cohen] (from client WLAN port 8 cli 00095b93459e) Error 2 is seen if Validate is unchecked on the laptop --Error 2-- Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Sat Oct 7 19:34:35 2006 : Error: -- verify error:num=20:unable to get local issuer certificate Sat Oct 7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Oct 7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Oct 7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/no User-Password attribute] (from client netnas port 11 cli 0014a5104864) - Error 2 tells us exactly what the problem is. Unable to get local issuer certificate AND Unknown CA. In other words, the certificate used is not the one it should be using as it's signed by another CA. This can be remedied by either installing the correct certificate in the Personal user certificate store and turning off simple certificate selection. I hope this resolves your problem. Jason Wittlin-Cohen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificate problems.
Brian vb wrote: the radius systems log. I have created 3 certificates, Root, Client, Server. The Root and Client certificates were installed via the MMC snapin and Import wizard in XP. Any idea on what could be causing the errors? If I On the server, the certificates are in *files* yes? tls: private_key_file = C:/Docume~1/radius/rcerts/cert-srv.pem tls: certificate_file = C:/Docume~1/radius/rcerts/cert-srv.pem tls: CA_file = C:/Docume~1/radius/rcerts/root.pem tls: private_key_password = SuperSecretCode They're there and valid? Sending Access-Challenge of id 50 to 10.1.1.189 port 1039 EAP-Message = 0x0104000a0d80 Message-Authenticator = 0x State = 0xd2f07585b4ad88459f3f0f28a7fa6fb2 Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 48 with timestamp 45283c27 Cleaning up request 1 ID 49 with timestamp 45283c27 Cleaning up request 2 ID 50 with timestamp 45283c27 Nothing to do. Sleeping until we see a request. This looks like the server certificate doesn't have the magic oids - the XP client stops halfway through. Search the archives for magic oids Error 1 is seen if I have Validate Server Certificate check on the XP Laptop. --Error 1-- Sat Oct 7 19:35:58 2006 : Error: TLS_accept:error in SSLv3 read client certificate A -- Error 2 is seen if Validate is unchecked on the laptop --Error 2-- Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Sat Oct 7 19:34:35 2006 : Error: -- verify error:num=20:unable to get local issuer certificate Sat Oct 7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Oct 7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Oct 7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/no User-Password attribute] (from client netnas port 11 cli 0014a5104864) - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Since you've obviously performed some kind of surgery on the debug logs here, it's difficult to determine precisely what the context for these two errors are. What is the single, full, unaltered debug output for the failure case you're actually trying to solve? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
Ca is in trusted root stores under Current User, and client is in Personal under Current User. One thing I see when viewing the certs is the Root has Locker Systems (using a random name to keep the identity of my company out of the certs) as the issuer and the client has SSLeay Demoserver.. looks like OpenSSL didn't make the certs right for some odd reason.. its like it used its own CA root or something else happened. I will recreate the certs but I'm quite sure I entered the same data in all certs except commonname which I made the same as the machine the cert will reside on. Root ca common name didn't match any machine name. Where should the CA be? Machine or User? -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jason Wittlin-Cohen Sent: Sunday, October 08, 2006 2:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: EAP-TLS Certificate problems. Hi, I'm trying to get Freeradius up and running on a WinXP box (win haters. be nice ;) ) I have downloaded, installed, and configured the Freeradius version from www.freeradius.net. The server starts seemingly without errors. However when I try to connect with my XP laptop I get a certificate error on the radius systems log. I have created 3 certificates, Root, Client, Server. The Root and Client certificates were installed via the MMC snapin and Import wizard in XP. Any idea on what could be causing the errors? If I need to post file contents, let me know which ones. Using EAP-TLS(cert based) not EAP-TTLS(user-pass based). Xp laptop is stuck at Attempting to Authenticate. Welcome to the Freeradius mailing list, and thank you for providing debug log to help us sort out this issue. The debug information will tell you exactly why it's being rejected (i.e. no certificate was sent, certificate was signed by another CA). I believe I know what's going wrong. The CA public cert should be stored in the Trusted Root Certification Authorities certificate store. If it's anywhere else, Windows won't authenticate the server and it will look like it's failing- when it's doing what you asked it to do. In this scenario you won't see any error output from Freeradius because Windows has stopped attempting to connect. Your user public certificate must be stored in either your User or Machine Account Personal Certificate store (this is the first option in the snap-in). Also, if you have more than one certificate in your personal store, do not use simply certificate selection. Windows will choose the one highest in the list (It did for me). Manually select the certificate you want to use. Read this howto and follow the Configuring Windows XP Clients guide. It will tell you exactly what to do. See http://www.linuxjournal.com/node/8151/print Here is what's happening currently: Error 1 is seen if I have Validate Server Certificate check on the XP Laptop. --Error 1-- Sat Oct 7 19:35:58 2006 : Error: TLS_accept:error in SSLv3 read client certificate A -- When you enable Server verification, Windows checks to see if the server's certificate is signed by a trusted Root CA that you specify. Since you didn't install the CA to the Trusted Root Certificate Authorities certificate store, the Windows supplicant refuses to continue authenticating and Freeradius has nothing to do. This error doesn't actually mean anything. I see it when I have a successful login. You're not seeing an error- which means the problem is on the client side. This can be remedied by installing your Root CA in the Trusted Root Certification Authorities certificate store. Here's a successful authenticaiton from my radiusd.log. You'll notice the read client certificate A error. It can safely be ignored. Sun Oct 8 03:13:56 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Sun Oct 8 03:13:56 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Sun Oct 8 03:13:56 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Sun Oct 8 03:13:56 2006 : Auth: Login OK: [Jason Wittlin-Cohen] (from client WLAN port 8 cli 00095b93459e) Error 2 is seen if Validate is unchecked on the laptop --Error 2-- Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Sat Oct 7 19:34:35 2006 : Error: -- verify error:num=20:unable to get local issuer certificate Sat Oct 7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Oct 7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Oct 7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/no User-Password attribute] (from client netnas port 11 cli 0014a5104864) - Error 2 tells us exactly what the problem is. Unable to get local issuer
RE: EAP-TLS Certificate problems.
The surgery performed was simply to remove the repeating lines and define the two separate errors. Certs are in files, user has permission to read them (buried it in the users own profile directory to secure them better) I have the XpExtentsions and its referenced in the cert creation batchfile I have. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Sunday, October 08, 2006 3:33 PM To: FreeRadius users mailing list Subject: Re: EAP-TLS Certificate problems. Brian vb wrote: the radius systems log. I have created 3 certificates, Root, Client, Server. The Root and Client certificates were installed via the MMC snapin and Import wizard in XP. Any idea on what could be causing the errors? If I On the server, the certificates are in *files* yes? tls: private_key_file = C:/Docume~1/radius/rcerts/cert-srv.pem tls: certificate_file = C:/Docume~1/radius/rcerts/cert-srv.pem tls: CA_file = C:/Docume~1/radius/rcerts/root.pem tls: private_key_password = SuperSecretCode They're there and valid? Sending Access-Challenge of id 50 to 10.1.1.189 port 1039 EAP-Message = 0x0104000a0d80 Message-Authenticator = 0x State = 0xd2f07585b4ad88459f3f0f28a7fa6fb2 Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 48 with timestamp 45283c27 Cleaning up request 1 ID 49 with timestamp 45283c27 Cleaning up request 2 ID 50 with timestamp 45283c27 Nothing to do. Sleeping until we see a request. This looks like the server certificate doesn't have the magic oids - the XP client stops halfway through. Search the archives for magic oids Error 1 is seen if I have Validate Server Certificate check on the XP Laptop. --Error 1-- Sat Oct 7 19:35:58 2006 : Error: TLS_accept:error in SSLv3 read client certificate A -- Error 2 is seen if Validate is unchecked on the laptop --Error 2-- Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Sat Oct 7 19:34:35 2006 : Error: -- verify error:num=20:unable to get local issuer certificate Sat Oct 7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Oct 7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Oct 7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/no User-Password attribute] (from client netnas port 11 cli 0014a5104864) - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Since you've obviously performed some kind of surgery on the debug logs here, it's difficult to determine precisely what the context for these two errors are. What is the single, full, unaltered debug output for the failure case you're actually trying to solve? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
