[RADIATOR] EAP-TLS question

Mike Puchol puchol at me.com
Thu Dec 1 15:10:19 CST 2011 

Hi Markus,  

Not sure if there is a specific method to force a check on an expired certificate, but you have at least these two options:

1. Add expired certificates to a revocation list, and force checking it in the .cfg as:

EAPTLS_CRLCheck
EAPTLS_CRLFile /var/certs/crl.pem


2. Add a hook that checks the certificate expiration date with the current date, as:

EAPTLS_CertificateVerifyHook sub { … }

There is an example hook in eap_tls.cfg in /goodies.

Cheers,

Mike


On Thursday, December 1, 2011 at 9:23 PM, Markus Moeller wrote:

> Hi,
>   
>   I have a setup using EAP TLS with CRL check and I get sometimes correctly an expired certificate presented.  But why does Radiator continue with ab Access Challenge instead of a Reject ?  
>   
>   
> Wed Nov 30 18:20:11 2011: DEBUG: Handling request with Handler AuthType="radius"'
> Wed Nov 30 18:20:11 2011: DEBUG:  Deleting session for xxx, 10.10.10.10, 13
> Wed Nov 30 18:20:11 2011: DEBUG: Handling with Radius::AuthFILE: EapTLS
> Wed Nov 30 18:20:11 2011: DEBUG: Handling with EAP: code 2, 8, 689, 13
> Wed Nov 30 18:20:11 2011: DEBUG: Response type 13
> Wed Nov 30 18:20:11 2011: INFO: EAP TLS certificate verification failed: certificate has expired,  23809: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>   
> Wed Nov 30 18:20:11 2011: DEBUG: EAP result: 3, EAP TLS Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: Access challenged for xxx: EAP TLS Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: Packet dump:
> *** Sending to 10.1.1.1 port 32769 ....
> Code:       Access-Challenge
> Identifier: 56
> Authentic:  (<183><181><167><240><188>2<186><243>d<247>d<248><12><151>+
> Attributes:
>         EAP-Message = <1><9><0><17><13><128><0><0><0><7><21><3><1><0><2><2>-
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>   
>   
> Thank you
> markus
>  
>  
> _______________________________________________
> radiator mailing list
> radiator at open.com.au (mailto:radiator at open.com.au)
> http://www.open.com.au/mailman/listinfo/radiator
>  
>  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111201/afc1ee92/attachment.html

More information about the radiator mailing list