Wired EAP-TLS Problems

Unanswered Question
Aug 13th, 2007

I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......

My current setup is:

FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6

Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin

Laptop - OpenSUSE 10.2

I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)

"select * from nas" (comma seperated to make it easier):

id,nasname,shortname,type,ports,secret,community,description

1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950

wpa_supplicant.conf on laptop:

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=wheel

ap_scan=0

network={

key_mgmt=IEEE8021X

identity="SUSE Laptop"

eapol_flags=0

eap=TLS

ca_cert="/home/evosys/Documents/cacert.pem"

client_cert="/home/evosys/Documents/suse_cert.pem"

private_key="/home/evosys/Documents/suse_key.pem"

private_key_passwd="<password>"

}

Outputs of the radiusd and wpa_supplicant are attached...

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scadora Mon, 08/13/2007 - 07:52

Based on this:

TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)

SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA

I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).

Shelly

Jagdeep Gambhir Mon, 08/13/2007 - 12:56

The link you provided explains about PEAP authentication and you want set up EAP-TLS ?

For TLS you need three certs

CA

Server cert

Client cert

Regards,

~JG

darren_maden Tue, 08/14/2007 - 01:29

Creating a new CA for testing solved the problem, I've obviously had a mix up somewhere in my certificates.

I've now got EAP-TLS working for wired clients.

Nothing was needed on the switch that isn't in it's documentation.

Actions

This Discussion