Re: PEAP and "fatal unknown_ca"

[Dan Armstrong]

Hello,
I've just subscribed to the list, so pardon me if this was covered... we 
are using FreeRadius to authenticate PEAP over Cisco Aironets with 
Windows XP.  We can only get it working if we tell XP to ignore the cert 
that comes from radius - ie uncheck that "Validate Server Certifiate" 
box.  Mac OS-X seems to work fine...

Are you ignoring the cert, or do you have it working?
Thanks,
Dan.
Dudley Atkinson wrote:
So the problem is solved, but I wanted to post so that the next unfortunate
that happens along with this problem has some point of reference.
The "unknown_ca" error and the related "unknown certificate" error I got
later with a reconfiguration were both stemming from the same problem.  In
Windows XP when PEAP is setup, there is a box for stating the domain of the
user.  When I had the domain in that box, I got the error.  By leaving the
box blank, the error resolved and PEAP authenticated successfully.
I will post again when I have more information as to why this is so.
-atkinson 

 

-----Original Message-----
From: Dudley Atkinson [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 08, 2005 12:11 AM
To: 'freeradius-users@lists.freeradius.org'
Subject: RE: PEAP and "fatal unknown_ca"

I have done a lot of checking.  Could someone look over my 
shoulder and see what might be wrong?

Here is some data.
-------- from eap.conf ----------
               tls {
                       private_key_password = naismc-pwd
                       private_key_file = 
${raddbdir}/certs/cert-srv.pem
                       certificate_file = 
${raddbdir}/certs/cert-srv.pem
                       #CA_path = ${raddbdir}/certs/demoCA
                       CA_file = ${raddbdir}/certs/root.pem
                       dh_file = ${raddbdir}/certs/dh
                       random_file = ${raddbdir}/certs/random
               #       fragment_size = 1024
               #       include_length = yes
               #       check_crl = yes
               #       check_cert_cn = %{User-Name}
               }

------- some openssl commands: 
[EMAIL PROTECTED]:/etc/raddb/certs# openssl verify -CAfile 
/etc/raddb/certs/root.pem /etc/raddb/certs/root.pem 
/etc/raddb/certs/root.pem: OK

[EMAIL PROTECTED]:/etc/raddb/certs# openssl verify -CAfile 
/etc/raddb/certs/root.pem /etc/raddb/certs/cert-srv.pem
/etc/raddb/certs/cert-srv.pem: 
/C=US/ST=mystate/L=mytown/O=company/OU=hostname/CN=Server 
Root Certificate/[EMAIL PROTECTED]
error 20 at 0 depth lookup:unable to get local issuer certificate

-----------------------------
I'm wondering if this "error 20 at 0 depth lookup" that 
occurs when I attempt to verify my certificate is related to 
the problem of the "unknown_ca" seen when I attempt PEAP from 
the aironet?

These certs were made with the certs.sh script shipped with 
Freeradius, and the certs.sh ran with a minor modification.  
Do I need to install the root.pem in the openssl 
configuration somewhere so that it recognizes it or finds it as a CA?

Thanks!
atkinson


   

-----Original Message-----
From: Dudley Atkinson [mailto:[EMAIL PROTECTED]
Sent: Monday, February 07, 2005 7:38 AM
To: 'freeradius-users@lists.freeradius.org'
Subject: RE: PEAP and "fatal unknown_ca"
I thought that was true.  And I did that, with no change.  
     

So it must 
   

be something in Freeradius/Certs.
Hopefully I will discover the little discrepancy that is 
     

keeping this 
   

from working for me.
Does it matter that it is Solaris 2.8?  I am running 
     

Openssl 0.9.7e, 
   

and the latest Freeradius release.
-atkinson
     

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 
�ystein G�sdal
Sent: Monday, February 07, 2005 1:57 AM
To: 'freeradius-users@lists.freeradius.org'
Subject: RE: PEAP and "fatal unknown_ca"

The easiest way to find out if it's the server it is 
       

something wrong
   

with, just turn off validate server certificate under the 802.1x 
settings in WindowsXP. If you are running PEAP, you don't need 
certificates on the client, just on the server.

- �ystein
 

       

-----Original Message-----
From: Dudley Atkinson [mailto:[EMAIL PROTECTED]
Sent: 7. februar 2005 06:44
To: freeradius-users@lists.freeradius.org
Subject: RE: PEAP and "fatal unknown_ca"
Thank you for the ideas.
I think that I have the right root.pem file in my 
         

config.  I will 
   

double-check that things match, but I've checked it many times 
already.

Is there any way to use openssl to inspect the root.pem? Or 
cacert.pem? What commands can I enter to check that is 
         

is a valid 
   

pem file containing the CA certificate?
Also, when I made the certs with the CA.all script, I 
         

got both a 
   

demoCA/cacert.pem and a root.pem file as a result. I've tried 
using both for the root certificate in freeradius, and neither 
seems to work right. Which is THE right one to use?  
         

The examples 
   

and config templates made me think cacert.pem was right.
And I did go and install the certificate in XP, with no 
         

change in 
   

behavior. The error looks like something on the
         

Freeradius side?  Or
     

is this error reflecting a problem on the XP side?
         

 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal
             

unknown_ca TLS
         

Alert read:fatal:unknown CA
   TLS_accept:failed in SSLv3 read client certificate A 
24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
             

I've followed the recipes and I'm still not savvy enough
         

to know the
     

way out....
-atkinson
         

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
           

Behalf Of
     

Artur Hecker
Sent: Sunday, February 06, 2005 6:12 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: PEAP and "fatal unknown_ca"
hi
Dudley Atkinson wrote:
           

I have followed the instructions for creating
             

self-signed server
     

certificates, and I think I have the config files and certs
             

aligned.
           

But I must have something wrong, because when my supplicant
             

(Aironet
           

1200) gets a request for PEAP from a Windows XP system,
             

the radiusd
         

debug shows "fatal unknown_ca" when in the last phase
             

of the PEAP
       

authentication.
             

hmmm, sorry to be a nitpicker - but the supplicant _is_
           

windows XP. i
         

suppose, the aironet 1200 is an access point, so it 
           

would be an 
   

authenticator then.
           

Is there some little gotcha I'm missing?
Is the setup for PEAP different than EAP/TLS?
Do I have to install something on the client (I thought
             

not, since it
           

is PEAP).
             

i personally think that the root.pem file which your
           

radiusd is using
         

does not contain a correct certificate of the used CA.
           

make sure:
     

- this file exists and is configured as such in the 
           

eap.conf / 
   

radiusd.conf
- freeradius finds and reads this file (file permissions,
           

paths, etc.)
         

- this file and its content are valid (i.e. it's a
           

valid pem file
     

containing the CA certificate).
the used CA has to be known to the server at the moment
           

when it starts
         

TLS communications.
btw it is the same for the supplicant (your Windows XP)
           

- i would
     

suggest that you install the certificate. Windows used
           

to kindly
     

propose the installation of a new (unknown) CA certificate
           

but i'm not
         

quite sure it still works as expected and it definitly
           

depends on a
       

lot of other parameters. so just preinstall it locally.

ciao
artur
           

All help is appreciated; debug follows.
Thanks!
Atkinson
ad_recv: Access-Request packet from host 10.0.1.3:21645,
             

id=151, length=180
           

       User-Name = "atkinsondu"
       Framed-MTU = 1400
       Called-Station-Id = "000f.9060.c140"
       Calling-Station-Id = "0040.96a2.8ef1"
       Cisco-AVPair = "ssid=eap-only"
       Service-Type = Login-User
       Message-Authenticator =
             

0xb7c8fd67a6fa635c21df964a0cbd2af5
       

       EAP-Message = 0x020300061900
       NAS-Port-Type = Wireless-802.11
       Cisco-NAS-Port = "369"
       NAS-Port = 369
       State = 0x21f31e4903806b3d170350fcd4a4a82a
       NAS-IP-Address = 10.0.1.3
       NAS-Identifier = "wifi-ap1"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
 modcall[authorize]: module "preprocess" returns ok
             

for request 2
       

   rlm_realm: No '\' in User-Name = "atkinsondu", looking
             

up realm NULL
           

   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "ntdomain" returns noop
             

for request 2
       

   rlm_realm: No '@' in User-Name = "atkinsondu", looking
             

up realm NULL
           

   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop
             

for request 2
     

 rlm_eap: EAP packet type response id 3 length 6
 rlm_eap: No EAP Start, assuming it's an on-going EAP
             

conversation
         

 modcall[authorize]: module "eap" returns updated
             

for request 2
     

modcall: entering group group for request 2
rlm_dbm: try open database file:
             

/opt/local/etc/raddb/database/users
         

rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add atkinsondu to user list
rlm_dbm: User <atkinsondu> not foud in database Remove
atkinsondu from user list
sm_parse_user.c: check for loops
Add DEFAULT to user list
rlm_dbm: User <DEFAULT> not foud in database
Remove DEFAULT from user list
 modcall[authorize]: module "dbm" returns notfound for 
             

request 2
       

modcall: group group returns notfound for request 2
modcall: group authorize returns updated for request 2
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/peap
 rlm_eap: processing type peap
 rlm_eap_peap: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
 rlm_eap_tls: ack handshake fragment handler
 eaptls_verify returned 1 
 eaptls_process returned 13 
 rlm_eap_peap: EAPTLS_HANDLED
 modcall[authenticate]: module "eap" returns handled for
             

request 2
         

modcall: group authenticate returns handled for request
             

2 Sending
       

Access-Challenge of id 151 to 10.0.1.3:21645
       EAP-Message =
             

0x010403cc19005553311230100603550408130954656e6e65737365653112
30100603550407
           

13094f616b205269646765310d300b060355040a130453414943310f300d06
0355040b13064e
           

4149534d43311830160603550403130f4e41535652313820526f6f74204341
311a301806092a
           

864886f70d010901160b746d68406e61737672313830819f300d06092a8648
86f70d01010105
           

0003818d0030818902818100f53d6206d775bd27ecc7f41358590f88eba011
4424ccfe8c75a1
           

735668a6506934cb4d1bae177cb9d130ce0b203d21ef9f5ff1eba850e6f1b8
0fa9b5162975f0
           

0e4ac2fc4b0b0fe2ae8a6bef2a2651abc1ede8e72cad24e2210e
       EAP-Message =
             

0xee6b46998af153a26274412e8e63816ecaa5bc997bf18ffaef66d42b98c0
deb6f4db1ba0b0
           

150203010001a381f33081f0301d0603551d0e04160414552260d6dd4cebad
e9a0adacf4733a
           

bee5640ca33081c00603551d230481b83081b58014552260d6dd4cebade9a0
adacf4733abee5
           

640ca3a18191a4818e30818b310b3009060355040613025553311230100603
55040813095465
           

6e6e657373656531123010060355040713094f616b205269646765310d300b
060355040a1304
           

53414943310f300d060355040b13064e4149534d4331183016060355040313
0f4e4153565231
           

3820526f6f74204341311a301806092a864886f70d010901160b
       EAP-Message =
             

0x746d68406e617376723138820900aa339d443f523340300c0603551d1304
0530030101ff30
           

0d06092a864886f70d010104050003818100bd318788d5775b1446536c2cab
e5031b72131346
           

177a421c930f4ffbf36ba1d516789335f29e984575ab736f350adecf1e437f
c5f2a4b3be0a03
           

6c90abc5ac4689237bafc1cf0130ede334bacec4689fbacd52cb8f7c6412ef
a28c96827164ce
           

8f6dcbb4d8d09c19e8fdc71cad56d2d665e02c6dfdaab49b83fdc2de3d6e47
4c160301010d0c
           

0001090040d3706dbd315a1e6c6d31d7360a14069120fd6cd0de306332ac00
d88280dbd81175
           

f1462cee6e4c0e58aa60e0190906edbf214e2bb7024043da0b66
       EAP-Message =
             

0xba7b8c5dc300010500404e9adcd06469e95f46852f53d7befb50802a7164
4dd633a501f6b4
           

82f01857af8a6de4056b27b1a9cbc8c9fc42a67354f698201690fd1d8bb8b5
8d415690d0c700
           

80d7c0706283d95cd56c5448bc3450fc6cbc7b63366fee4fbe37b5346453c4
2c2aa3eb857afe
           

a3ba215cecfaa471487fe7363549984a4b850b7e80601daa5c23e1baaaf727
964cca749eb0c1
           

40d7e0967915c072c264ed51930825ab6020d45562b1c2e947933ef885759c
0ac83611621d6c
           

0b31c0f9cc885fb587317227c972eb16030100040e000000
       Message-Authenticator =
             

0x00000000000000000000000000000000
       

       State = 0x36cdeb1e4af1060e78512ffdc9c31264
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.3:21645,
             

id=152, length=191
           

       User-Name = "atkinsondu"
       Framed-MTU = 1400
       Called-Station-Id = "000f.9060.c140"
       Calling-Station-Id = "0040.96a2.8ef1"
       Cisco-AVPair = "ssid=eap-only"
       Service-Type = Login-User
       Message-Authenticator =
             

0xfeb6cd762306cd1a886420d036082cc8
       

       EAP-Message = 0x0204001119800000000715030100020230
       NAS-Port-Type = Wireless-802.11
       Cisco-NAS-Port = "369"
       NAS-Port = 369
       State = 0x36cdeb1e4af1060e78512ffdc9c31264
       NAS-IP-Address = 10.0.1.3
       NAS-Identifier = "wifi-ap1"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
 modcall[authorize]: module "preprocess" returns ok
             

for request 3
       

   rlm_realm: No '\' in User-Name = "atkinsondu", looking
             

up realm NULL
           

   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "ntdomain" returns noop
             

for request 3
       

   rlm_realm: No '@' in User-Name = "atkinsondu", looking
             

up realm NULL
           

   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop
             

for request 3
     

 rlm_eap: EAP packet type response id 4 length 17
 rlm_eap: No EAP Start, assuming it's an on-going EAP
             

conversation
         

 modcall[authorize]: module "eap" returns updated
             

for request 3
     

modcall: entering group group for request 3
rlm_dbm: try open database file:
             

/opt/local/etc/raddb/database/users
           

rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add atkinsondu to user list
rlm_dbm: User <atkinsondu> not foud in database Remove
atkinsondu from user list
sm_parse_user.c: check for loops
Add DEFAULT to user list
rlm_dbm: User <DEFAULT> not foud in database
Remove DEFAULT from user list
 modcall[authorize]: module "dbm" returns notfound for 
             

request 3
       

modcall: group group returns notfound for request 3
modcall: group authorize returns updated for request 3
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/peap
 rlm_eap: processing type peap
 rlm_eap_peap: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
 eaptls_verify returned 11 
 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal
             

unknown_ca
       

TLS Alert read:fatal:unknown CA 
   TLS_accept:failed in SSLv3 read client certificate A
24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
             

alert unknown
           

ca:s3_pkt.c:1052:SSL alert number 48 
             

24317:error:140940E5:SSL
   

routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS
             

session fails.
           

In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS
             

session fails.
           

 eaptls_process returned 13 
 rlm_eap_peap: EAPTLS_HANDLED
 rlm_eap: Freeing handler
 modcall[authenticate]: module "eap" returns reject
             

for request 3
       

modcall: group authenticate returns reject for request 3
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.3:21645,
             

id=152, length=191
           

Sending Access-Reject of id 152 to 10.0.1.3:21645
-
List info/subscribe/unsubscribe? See
             

http://www.freeradius.org/list/users.html
-- ___________________________________________________________
Artur Hecker
http://www.enst.fr/~hecker
ENST Paris ________________________________________________

           

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
         


       


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html