You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I'm having an issue with FreeRADIUS 3.2.3 and the EAP module.
It doesn't take into account my private PKI.
I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work.
I have no issues with FreeRADIUS 3.0.x
My server is running RHEL 8 and my OpenSSL version is 1.1.1K
Message
Hi,
I'm having an issue with FreeRADIUS 3.2.3 and the EAP module.
It doesn't take into account my private PKI.
I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work.
I have no issues with FreeRADIUS 3.0.x
My server is running RHEL 8 and my OpenSSL version is 1.1.1K
mods-enabled/eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/chain.pem
ca_path = ${cadir}
reject_unknown_intermediate_ca = no
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = ""
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = yes
override_cert_url = no
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
ls -l certs
total 32
lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem
lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem
-rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem
-rw-r-----. 1 root radiusd 1818 Jan 23 10:17 rootca.pem
-rw-r-----. 1 root radiusd 2293 Jan 23 10:17 subca.pem
-rw-r-----. 1 root radiusd 1704 Jan 23 10:18 server.key
-rw-r-----. 1 root radiusd 8567 Jan 23 10:18 server.pem
debug (if reject_unknown_intermediate_ca = yes)
[...]
Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name /CN=SubCA
(TLS) untrusted certificate with depth [0] subject name /CN=device
tls: There are untrusted certificates in the certificate chain. Rejecting.
(10) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error
(10) eap_tls: ERROR: (TLS) Alert write:fatal:internal error
(10) eap_tls: ERROR: (TLS) Server : Error in error
(10) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
(10) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(10) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(10) eap_tls: ERROR: [eaptls process] = fail
(10) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(10) eap: Sending EAP Failure (code 4) ID 26 length 4
(10) eap: Failed in EAP select
(10) [eap] = invalid
(10) } # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
[...]
The text was updated successfully, but these errors were encountered: