RE: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Hi I made the following change and it worked for me. In Makefile (/usr/local/etc/raddb/certs/), I passed the input files of that of ca rather than server while creating the client certificate. Regards, Gaurav Kansal Velankani Software Private Limited, 43, Electronics City, Phase - 2, Hosur Road, Bangalore - 560100 Phone : +91 80 4037 5300/01 Extn. # 5401 Direct: +91 80 4037 5401 Fax : +91 80 4037 5303 Mobile: +91 98454 22400 [EMAIL PROTECTED] www.velankani.com "Every Customer is a Reference Customer" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 09, 2008 8:58 PM To: FreeRadius users mailing list Subject: Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS Sergio Yébenes Moreno wrote: > I think that PKI that comes with freeradius by default are shit Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use. > (./bootstrap). I had the same problem. If you see the certification > route in firefox, for example, you will see that client certificate are > signed by SERVER CERTIFICATE and this by ca certificate. Which shouldn't be a problem. > Probably you > put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf There is no configuration entry called 'ca_cert'. > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate > --> verify error:num=20:unable to get local issuer certificate > > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca) > > , and should be server.pem, or make your own ca, that signs clients and > servers certificates. The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Sergio Yébenes Moreno wrote: > I think that PKI that comes with freeradius by default are shit Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use. > (./bootstrap). I had the same problem. If you see the certification > route in firefox, for example, you will see that client certificate are > signed by SERVER CERTIFICATE and this by ca certificate. Which shouldn't be a problem. > Probably you > put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf There is no configuration entry called 'ca_cert'. > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate > --> verify error:num=20:unable to get local issuer certificate > > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca) > > , and should be server.pem, or make your own ca, that signs clients and > servers certificates. The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Gaurav Kansal escribió:
Hi
I am trying to use EAP-TLS between wpa_supplicant and freeradius. I
created the certificates (ca/server/client) as mentioned in
freeradius-server-2.0.5/raddb/certs/README. In
freeradius-server-2.0.5/raddb/users, following line is added at end:
testuser Cleartext-Password := "password"
On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following
contents:
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/[EMAIL PROTECTED]"
private_key="/usr/local/etc/raddb/certs/client.key"
private_key_passwd="whatever"
}
Executed wpa_supplicant (eapol_test) with following command
(wpa_supplicant side logs are after radius logs at end):
eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1
On executing /usr/local/sbin/radiusd -X, I get following log and error
too:
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0,
length=124
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020d017465737475736572
Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 32770
EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb
Message-Authenticator = 0x
State = 0x26767358261a69809cb3876d58ea
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1,
length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02010006030d
State = 0x26767358261a69809cb3876d58ea
Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 32770
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x2676735827747e1a69809cb3876d58ea
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2,
length=236
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0202006b0d001603010060015c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca77a38aaea1b9788b532d3400390038003500160013000a00330032002f00660005000400630062006100150012000900650064006000140011000800060003020100
State = 0x2676735827747e1a69809cb3876d58ea
Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in Use
