On 05/14/2013 12:01 PM, Mitch Yackobeck wrote:
Good morning John,
I appologize for making myself look like a moron. The original message
had actually been sent to someone who was helping me to potentially work
thru some issues that we were seeing and trying to work out. I
attempted to modify the message in haste and get some input from the
group and it appears that I severely bungled that one up. I've learned
my lesson in humility as I actually went back and read what I had done
and like yourself could not make true heads or tails of that first
paragraph.
The ultimate goal we are trying to achieve here is this; we are
potentially going to be changing our certificate structure in our
classroom networks. We are looking to have a way to have clients that
have not been converted to the new certificate structure as well as
those that have been converted able to authenticate simultaneously using
the same wireless SSID and FreeRadius server. We use Novell eDir for
the backend services on the classroom side with FreeRadius
authenticating our wireless users at the root of the tree. For
authentication purposes we have moved from passing the username and
password via 802.1X on the Novell Client to an EAP-TLS user certificate
installed in the computer certificate store so that the system is
already authenticated to the network prior to a user attempting to login
and remains connected even after login.
What I was trying to convey is that I've spent some time over the last
couple of weeks upgrading my test environment from an older version of
FreeRadius to the latest available. On that test server, I have both
its test certificates and our production server certificates loaded up
using a single file. Using the certs specific to the test server,
everything works as expected, when I attempt to use the certs from the
production server, thats when things go a little pear shaped. Initially
it appears that the server is able to read the client certificate enough
to recognize that the information is available, but when it requests
further details, it fails to find the CA applicaple to the client cert
and bombs out a reject. See below for a capture of the client
authentication attempt.
I'm wondering if this type of setup is actually possible or if there is
some switch that someone knows of somewhere in the config that perhaps I
have missed.
Any help would be appreciated.
Thank you Mitch, this is much more lucid.
I'll try to help as best I can but you're still making it difficult. We
ask for the output of radiusd -X in plain text format for a reason (not
edited snippets). Why? Well for starters it contains all sorts of
essential information that you've deleted. At the very most basic level
what FreeRADIUS version are you using? But it also tells us other
things, such as how the server is configured, what files it's reading, etc.
But in any event what you want to accomplish should work. Let me give
you some basic information and things to look at.
First of all I notice you're reading your configuration from
/usr/local/etc/raddb, some people get confused because /etc/raddb is a
common location and they edit the wrong files. Make sure you're editing
the files the server is loading.
Also, make sure the location of the cert directory in the config is what
you expect and is where you've installed your CA root certs (had the
full debug been posting we could have verified this).
Cert verification may involve a chain of CA certs, each of which must
validate, until a trusted root is reached. Every CA cert in the chain
must be available, either because the client passes it or because you've
installed it. Therefore it would be good to verify whether the client
cert issuer is the only cert necessary or not and if not have you
installed the intermediaries. But since you said you were able to
manually verify the client cert via the openssl command line tool that's
probably not the issue. But did you verify you've configured FreeRADIUS
to use the same CA as the command line tool?
OpenSSL has two basic ways it can access multiple CA certs, you either
concatenate them in a "bundle" file and set the CA_file to that, or you
set the CA_path and OpenSSL will look for certs in the directory. Sounds
like you decided to populate the CA_path with individual certs. Do they
have file extensions? Did you set the CA_path variable correctly? (the
debug log would have helped answer this).
It's a shame the cbtls_verify function in rlm_eap_tls.c does not print
the certificate (via X509_print_ex()) when verification fails, being
able to see the contents of the cert can be immensely helpful.
Looking at your error messages my best guess is that OpenSSL cannot
locate one or more of the issuer certs, the most likely cause of this is
misconfiguration of either the CA_file or CA_path variable, or the
contents found at those locations. See the man page for
SSL_CTX_load_verify_locations for details on what OpenSSL expects and
confirm your FreeRADIUS config matches it (also verify in the debug
output the server is loading what you expect it to load and not
something else).
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
