Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2305
Views
5
Helpful
4
Replies

Wired EAP-TLS Problems

darren_maden
Level 1
Level 1

‎08-13-2007 05:57 AM - edited ‎03-10-2019 03:19 PM

I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......

My current setup is:

FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6

Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin

Laptop - OpenSUSE 10.2

I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)

"select * from nas" (comma seperated to make it easier):

id,nasname,shortname,type,ports,secret,community,description

1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950

wpa_supplicant.conf on laptop:

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=wheel

ap_scan=0

network={

key_mgmt=IEEE8021X

identity="SUSE Laptop"

eapol_flags=0

eap=TLS

ca_cert="/home/evosys/Documents/cacert.pem"

client_cert="/home/evosys/Documents/suse_cert.pem"

private_key="/home/evosys/Documents/suse_key.pem"

private_key_passwd="<password>"

}

Outputs of the radiusd and wpa_supplicant are attached...

1 person had this problem
Labels:
21258-outputs
0 Helpful
4 Replies 4

scadora
Cisco Employee
Cisco Employee

‎08-13-2007 07:52 AM

Based on this:

TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)

SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA

I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).

Shelly

Jagdeep Gambhir
Level 10
Level 10
In response to scadora

‎08-13-2007 12:56 PM

The link you provided explains about PEAP authentication and you want set up EAP-TLS ?

For TLS you need three certs

CA

Server cert

Client cert

Regards,

~JG

0 Helpful

darren_maden
Level 1
Level 1
In response to Jagdeep Gambhir

‎08-14-2007 01:29 AM

Creating a new CA for testing solved the problem, I've obviously had a mix up somewhere in my certificates.

I've now got EAP-TLS working for wired clients.

Nothing was needed on the switch that isn't in it's documentation.

0 Helpful

mohd_jahangir
Level 1
Level 1
In response to darren_maden

‎11-22-2017 10:43 AM

Hi Darren

I am facing the same problem. My setup consists of ubuntu box with wpa_supplicant which connects to SDN controller, which in turn talks to RADIUS server.

 

I have generated certificates multiple times but issue not resolved. Can you share the steps of generating certs for server and the client?

 

-Thanks

Jahangir

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents