Mikhail Gaidamaka
2015-08-05 03:11:32 UTC
Good day
We use FreeRADIUS 2.1.10 to authorize wi-fi clients.
Step 1: many client's devices check server certificate, than we have
Comodo EssentialSSL certificate for server.
Its certificate chain:
- radius_eltex_nsk_ru.crt
- http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
- http://crt.comodoca.com/COMODORSAAddTrustCA.crt
- AddTrust External CA Root
EAP-PEAP-mschapv2 works good with this certificate.
Step 2: we want to authorize clients with EAP-TLS
We create self-signed CA (/etc/ssl/eltex/eltex-ca.crt) and any clients
certs (maria.crt, for example).
eap.conf has this parameters
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
#challenge = "Password: "
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = /etc/ssl/eltex
private_key_password = 123456
private_key_file = ${certdir}/radius.eltex.nsk.ru.key
certificate_file = ${certdir}/radius_eltex_nsk_ru.crt
CA_file = ${cadir}/eltex-ca.crt \
${certdir}/COMODORSADomainValidationSecureServerCA.crt \
${certdir}/COMODORSAAddTrustCA.crt \
${certdir}/AddTrustExternalCARoot.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
# fragment_size = 1024
# include_length = yes
# check_crl = yes
CA_path = ${certdir}
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My
Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
tmpdir = /tmp/radiusd
client = "/usr/bin/openssl verify -CApath
${..cadir} %{TLS-Client-Cert-Filename}"
}
}
'cadir' contains eltex-ca.crt, eltex-ca.key only
And now we can't authorize with EAP-TLS
Client's device sends 'alert unknown ca' (what CA - server or client I
can't understand)
It was OK, when server ant client certificate were both signed by eltex-ca.
I get this error at /var/log/syslog
wpa_supplicant[926]: TLS: Certificate verification failed, error 20
(unable to get local issuer certificate) depth 0 for '/OU=Domain Control
Validated/OU=EssentialSSL/CN=radius.eltex.nsk.ru'
wpa_supplicant[926]: OpenSSL: tls_connection_handshake - SSL_connect
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
I try to install all my server certs to system
# sudo update-ca-certificates
4 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updating keystore /etc/ssl/certs/java/cacerts...
added: /etc/ssl/certs/AddTrustExternalCARoot.pem
added: /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.pem
added: /etc/ssl/certs/radius_eltex_nsk_ru.pem
added: /etc/ssl/certs/COMODORSAAddTrustCA.pem
done.
done.
But it still not authorized with the same error
Can we use server and client certificates signed by different CA at one
server?
-
List info/subscribe/unsubscribe? See http://www.freera
We use FreeRADIUS 2.1.10 to authorize wi-fi clients.
Step 1: many client's devices check server certificate, than we have
Comodo EssentialSSL certificate for server.
Its certificate chain:
- radius_eltex_nsk_ru.crt
- http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
- http://crt.comodoca.com/COMODORSAAddTrustCA.crt
- AddTrust External CA Root
EAP-PEAP-mschapv2 works good with this certificate.
Step 2: we want to authorize clients with EAP-TLS
We create self-signed CA (/etc/ssl/eltex/eltex-ca.crt) and any clients
certs (maria.crt, for example).
eap.conf has this parameters
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
#challenge = "Password: "
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = /etc/ssl/eltex
private_key_password = 123456
private_key_file = ${certdir}/radius.eltex.nsk.ru.key
certificate_file = ${certdir}/radius_eltex_nsk_ru.crt
CA_file = ${cadir}/eltex-ca.crt \
${certdir}/COMODORSADomainValidationSecureServerCA.crt \
${certdir}/COMODORSAAddTrustCA.crt \
${certdir}/AddTrustExternalCARoot.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
# fragment_size = 1024
# include_length = yes
# check_crl = yes
CA_path = ${certdir}
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My
Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
tmpdir = /tmp/radiusd
client = "/usr/bin/openssl verify -CApath
${..cadir} %{TLS-Client-Cert-Filename}"
}
}
'cadir' contains eltex-ca.crt, eltex-ca.key only
And now we can't authorize with EAP-TLS
Client's device sends 'alert unknown ca' (what CA - server or client I
can't understand)
It was OK, when server ant client certificate were both signed by eltex-ca.
I get this error at /var/log/syslog
wpa_supplicant[926]: TLS: Certificate verification failed, error 20
(unable to get local issuer certificate) depth 0 for '/OU=Domain Control
Validated/OU=EssentialSSL/CN=radius.eltex.nsk.ru'
wpa_supplicant[926]: OpenSSL: tls_connection_handshake - SSL_connect
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
I try to install all my server certs to system
# sudo update-ca-certificates
4 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updating keystore /etc/ssl/certs/java/cacerts...
added: /etc/ssl/certs/AddTrustExternalCARoot.pem
added: /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.pem
added: /etc/ssl/certs/radius_eltex_nsk_ru.pem
added: /etc/ssl/certs/COMODORSAAddTrustCA.pem
done.
done.
But it still not authorized with the same error
Can we use server and client certificates signed by different CA at one
server?
-
List info/subscribe/unsubscribe? See http://www.freera