Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Wired EAP-TLS Problems

I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......

My current setup is:

FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6

Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin

Laptop - OpenSUSE 10.2

I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)

"select * from nas" (comma seperated to make it easier):

id,nasname,shortname,type,ports,secret,community,description

1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950

wpa_supplicant.conf on laptop:

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=wheel

ap_scan=0

network={

key_mgmt=IEEE8021X

identity="SUSE Laptop"

eapol_flags=0

eap=TLS

ca_cert="/home/evosys/Documents/cacert.pem"

client_cert="/home/evosys/Documents/suse_cert.pem"

private_key="/home/evosys/Documents/suse_key.pem"

private_key_passwd="<password>"

}

Outputs of the radiusd and wpa_supplicant are attached...

4 REPLIES
Cisco Employee

Re: Wired EAP-TLS Problems

Based on this:

TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)

SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA

I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).

Shelly

Re: Wired EAP-TLS Problems

The link you provided explains about PEAP authentication and you want set up EAP-TLS ?

For TLS you need three certs

CA

Server cert

Client cert

Regards,

~JG

New Member

Re: Wired EAP-TLS Problems

Creating a new CA for testing solved the problem, I've obviously had a mix up somewhere in my certificates.

I've now got EAP-TLS working for wired clients.

Nothing was needed on the switch that isn't in it's documentation.

Cisco Employee

Re: Wired EAP-TLS Problems

Hi Darren

I am facing the same problem. My setup consists of ubuntu box with wpa_supplicant which connects to SDN controller, which in turn talks to RADIUS server.

 

I have generated certificates multiple times but issue not resolved. Can you share the steps of generating certs for server and the client?

 

-Thanks

Jahangir

1107
Views
5
Helpful
4
Replies
CreatePlease to create content