topic Wired EAP-TLS Problems in Network Access Control

Wired EAP-TLS Problems

darren_maden — Sun, 10 Mar 2019 22:19:50 GMT

I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......

My current setup is:

FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6

Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin

Laptop - OpenSUSE 10.2

I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)

"select * from nas" (comma seperated to make it easier):

id,nasname,shortname,type,ports,secret,community,description

1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950

wpa_supplicant.conf on laptop:

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=wheel

ap_scan=0

network={

key_mgmt=IEEE8021X

identity="SUSE Laptop"

eapol_flags=0

eap=TLS

ca_cert="/home/evosys/Documents/cacert.pem"

client_cert="/home/evosys/Documents/suse_cert.pem"

private_key="/home/evosys/Documents/suse_key.pem"

private_key_passwd="<password>"

}

Outputs of the radiusd and wpa_supplicant are attached...

Re: Wired EAP-TLS Problems

scadora — Mon, 13 Aug 2007 14:52:52 GMT

Based on this:

TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)

SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA

I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).

Shelly

Re: Wired EAP-TLS Problems

Jagdeep Gambhir — Mon, 13 Aug 2007 19:56:41 GMT

The link you provided explains about PEAP authentication and you want set up EAP-TLS ?

For TLS you need three certs

Server cert

Client cert

Regards,

~JG

Re: Wired EAP-TLS Problems

darren_maden — Tue, 14 Aug 2007 08:29:44 GMT

Creating a new CA for testing solved the problem, I've obviously had a mix up somewhere in my certificates.

I've now got EAP-TLS working for wired clients.

Nothing was needed on the switch that isn't in it's documentation.

Re: Wired EAP-TLS Problems

mohd_jahangir — Wed, 22 Nov 2017 18:43:45 GMT

Hi Darren

I am facing the same problem. My setup consists of ubuntu box with wpa_supplicant which connects to SDN controller, which in turn talks to RADIUS server.

I have generated certificates multiple times but issue not resolved. Can you share the steps of generating certs for server and the client?

-Thanks

Jahangir