08-13-2007 05:57 AM - edited 03-10-2019 03:19 PM
I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......
My current setup is:
FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6
Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin
Laptop - OpenSUSE 10.2
I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)
"select * from nas" (comma seperated to make it easier):
id,nasname,shortname,type,ports,secret,community,description
1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950
wpa_supplicant.conf on laptop:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
key_mgmt=IEEE8021X
identity="SUSE Laptop"
eapol_flags=0
eap=TLS
ca_cert="/home/evosys/Documents/cacert.pem"
client_cert="/home/evosys/Documents/suse_cert.pem"
private_key="/home/evosys/Documents/suse_key.pem"
private_key_passwd="<password>"
}
Outputs of the radiusd and wpa_supplicant are attached...
08-13-2007 07:52 AM
Based on this:
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).
Shelly
08-13-2007 12:56 PM
The link you provided explains about PEAP authentication and you want set up EAP-TLS ?
For TLS you need three certs
CA
Server cert
Client cert
Regards,
~JG
08-14-2007 01:29 AM
Creating a new CA for testing solved the problem, I've obviously had a mix up somewhere in my certificates.
I've now got EAP-TLS working for wired clients.
Nothing was needed on the switch that isn't in it's documentation.
11-22-2017 10:43 AM
Hi Darren
I am facing the same problem. My setup consists of ubuntu box with wpa_supplicant which connects to SDN controller, which in turn talks to RADIUS server.
I have generated certificates multiple times but issue not resolved. Can you share the steps of generating certs for server and the client?
-Thanks
Jahangir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide