Need help concerning a freeradius error

Hi,

Been working for 8 hours configuring freeradius as an experiment to learn, and better secure my green network ap.

All went pretty well, ap is communicating with the server, and i’ve set it to use tls only for better security.

I have a tls version issue that i will resulve later, but i want to get it working before tightening the security.

So my main problem is that it seems that the server cannot resolve the client name to open the proper cert file for validation as the error suggest. But i can’t find why. Maybe someone could point out my error or somewhere i can look for any clues? Could it be a file permission issue?

Thx and have a nice day.

Error code snippet:

(7) eap_tls: TLS-Client-Cert-Common-Name := “PsycO”
(7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += “TLS Web Client Authentication”
(7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += “1.3.6.1.5.5.7.3.2”
(7) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs %{TLS-Client-Cert-Filename}
(7) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs %{TLS-Client-Cert-Filename}:
(7) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(7) eap_tls: --> /tmp/radiusd/radiusd.client.XXcGNa2O
Error loading file /etc/raddb/certs
(7) eap_tls: ERROR: Program returned code (1) and output ‘’
tls: Certificate CN (PsycO) fails external verification!
(7) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal internal_error
(7) eap_tls: ERROR: TLS Alert write:fatal:internal error
tls: TLS_accept: Error in error
(7) eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
(7) eap_tls: ERROR: System call (I/O) error (-1)
(7) eap_tls: ERROR: TLS receive handshake failed during operation
(7) eap_tls: ERROR: [eaptls process] = fail
(7) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed

Hi,

I’ve found my answer myself after some hours of debugging tonight.
If someone else get this problem, its the ca.pem file expantion that not work properly so that openssl verify cannot work.
I solved the problem by hardcoding the location of the ca.pem file in the eap.cfg file openssl verify command.

I also solved my tls version problem on windows 7 using this link

Windows 7 was using tls1.0 instead of the 1.2 version that is more secure. Doing those changes to the registry force it to use tls1.2 by disabling 1.0 and 1.1 .

2 Likes