Hi List,
I've successfully setup the following scenario:
- Windows CA (Root-CA and Sub-CA)
- Cisco WLAN Controller + APs
- Windows 7 Domain Clients (+ Computer Certificates)
- EAP-TLS Auth with certificates
I created a small script to fetch the CRL from the CA and have it
converted to PEM format:
-- snip --
#!/bin/bash
ID=$$
wget http://ca.host.name/CA.crl -O /tmp/CA.$ID.crl -q
if [ $? -eq 0 ]
then
openssl crl -in /tmp/CA.$ID.crl -inform DER -out
/etc/raddb/certs/crl.pem -outform PEM
rm /tmp/CA.$ID.crl
c_rehash /etc/raddb/certs/ > /dev/null
fi
-- snip --
c_reheash seems to work since I have the Symlinks in /etc/raddb/certs/.
The relevant parameters in eap.conf are set:
check_crl = yes
CA_path = ${certdir}/
However, as long as check_crl is set to 'yes', the following happens
when a client tries to connect:
Tue Mar 8 13:09:48 2011 : Info: Found Auth-Type = EAP
Tue Mar 8 13:09:48 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/default
Tue Mar 8 13:09:48 2011 : Info: +- entering group authenticate {...}
Tue Mar 8 13:09:48 2011 : Info: [eap] Request found, released from the list
Tue Mar 8 13:09:48 2011 : Info: [eap] EAP/tls
Tue Mar 8 13:09:48 2011 : Info: [eap] processing type tls
Tue Mar 8 13:09:48 2011 : Info: [tls] Authenticate
Tue Mar 8 13:09:48 2011 : Info: [tls] processing EAP-TLS
Tue Mar 8 13:09:48 2011 : Info: [tls] eaptls_verify returned 7
Tue Mar 8 13:09:48 2011 : Info: [tls] Done initial handshake
Tue Mar 8 13:09:48 2011 : Info: [tls] <<< TLS 1.0 Handshake [length
0a35], Certificate
Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled
critical CRL extension
Tue Mar 8 13:09:48 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002],
fatal certificate_unknown
Tue Mar 8 13:09:48 2011 : Error: TLS Alert write:fatal:certificate unknown
Tue Mar 8 13:09:48 2011 : Error: TLS_accept: error in SSLv3 read
client certificate B
Tue Mar 8 13:09:48 2011 : Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Tue Mar 8 13:09:48 2011 : Error: SSL: SSL_read failed in a system call
(-1), TLS session fails.
Tue Mar 8 13:09:48 2011 : Debug: TLS receive handshake failed during
operation
Tue Mar 8 13:09:48 2011 : Info: [tls] eaptls_process returned 4
Tue Mar 8 13:09:48 2011 : Info: [eap] Handler failed in EAP/tls
Tue Mar 8 13:09:48 2011 : Info: [eap] Failed in EAP select
Tue Mar 8 13:09:48 2011 : Info: ++[eap] returns invalid
Tue Mar 8 13:09:48 2011 : Info: Failed to authenticate the user.
Tue Mar 8 13:09:48 2011 : Auth: Login incorrect (unhandled critical CRL
extension): [host/CLIENT123.domain/<via Auth-Type = EAP>] (from client
WLAN-TEST port 1 cli 00-24-d7-8a-53-cc)
Tue Mar 8 13:09:48 2011 : Info: Using Post-Auth-Type Reject
Tue Mar 8 13:09:48 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/default
Tue Mar 8 13:09:48 2011 : Info: +- entering group REJECT {...}
Tue Mar 8 13:09:48 2011 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> host/CLIENT123.domain
Tue Mar 8 13:09:48 2011 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Mar 8 13:09:48 2011 : Info: ++[attr_filter.access_reject] returns
updated
Tue Mar 8 13:09:48 2011 : Info: Delaying reject of request 15 for 1 seconds
Tue Mar 8 13:09:48 2011 : Debug: Going to the next request
Tue Mar 8 13:09:48 2011 : Debug: Waking up in 0.9 seconds.
Tue Mar 8 13:09:49 2011 : Info: Sending delayed reject for request 15
Sending Access-Reject of id 228 to 10.70.11.15 port 32768
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
When I disable CRL checks, everything works fine again.
Does anybody have any experience with implementing Windows based CRLs in
Freeradius?
Radius Version is:
radiusd: FreeRADIUS Version 2.1.10, for host i686-suse-linux-gnu, built
on Mar 5 2011 at 17:06:42
running on SLES 11 (compiled from source as RPM package)
Any kind of advice would be appreciated!
--
Mit freundlichen Grüßen/With Kind Regards
Rudolph Bott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
