Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1805
Views
0
Helpful
1
Replies

EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

Gustavo Novais
Level 1
Level 1

‎03-19-2012 10:12 PM - edited ‎03-10-2019 06:55 PM

Hello,

I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).

The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.

While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.

Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.

What was done:

- set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.

- freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)

- Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)

What I can see while running a wireshark trace on freeradius is:

     - both parties negotiate properly that they will engage in EAP-TLS.

     - they  start the TLS handshake

     - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)

     - Client (phone) never sends its certificate (MIC) to the server.

     - Client restarts EAP-TLS negotiation and goes on and on.

Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).

Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.

Phone firmware is 9.2(3) and callmanager 8.6

Thanks

Gustavo Novais

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Cliff Campbell
Level 1
Level 1

‎11-15-2015 12:32 AM

I know this is an old thread but I just had the same behavior as OP with freeRadius 3.0.9 and 8845 phones running 10.3.16 on a 10.5 cluster so... still relevant.

I found the following in the phone console logs:

5840 ERR Nov 14 23:25:51.242806 PAE: -Total fragmented length(1616) doesn't match expected length(1612)

I was able to resolve the problem by adding  include_length = no in mods-available/eap file under the tls section.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents