[RADIATOR] certificate problems
Eric W. Bates
ericx at whoi.edu
Wed Jun 3 22:19:17 UTC 2020
For the record you can validate the certificate chain but it's a bit
convoluted.
rad_eap_test is a little easier. And it does have a flag to show
certificate info; but unfortunately it only provides info about the
certificate chain's leaf node (no info about other certs in the chain).
Not clear that it validates the chain (it might; but the chain is
already fixed and there is no "YES VALIDATION" message of any sort).
To see a copy of the whole chain, you can feed rad_eap_test the '-N'
option and it does not delete the temporary work files (eapol_test only
has an option to write the chain out to a file); so you can see what
eapol_test wrote. Then you can validate it yourself. [sigh]
So a working test command for TTLS tunneling:
./rad_eap_test -c -t 10 -H '[server host name]' -P '1812' -S '[RADIUS
client PSK]' -u 'ericx at whoi.edu' -p '[my password]' -s '[SSID]' -m
IEEE8021X -e TTLS -2 MSCHAPV2 -A anonymous at whoi.edu -T -b -N
[phew]
And then way down at the bottom of the output:
Leaving temporary files in /tmp/rad_eap_test.vh2dio
Configuration: /tmp/rad_eap_test.vh2dio/tmp-1208.conf
Output: /tmp/rad_eap_test.vh2dio/tmp-1208.out
RADIUS certiticate: /tmp/rad_eap_test.vh2dio/RADIUS_cert.pem
you get your copy of the "certiticate."
Some of the knobs may only be necessary for us.
- The Radiator handler we use needs to see the attribute
Called-Station-Id in the format of '[MAC]:[SSID]' and the -T gives you
that.
- The same handler (for the outer anonymous auth) expects to see
"anonymous at whoi.edu" in order to match the realm "whoi.edu"
So I still have a phone refusing to connect (I think Martin is probably
correct about the phone's list of trusted roots). But now I can prove:
"it's not the network..."
On 6/3/20 9:11 AM, Heikki Vatiainen wrote:
> On 3.6.2020 15.44, Eric W. Bates wrote:
>> We use certificates signed by InCommon and over the weekend several
>> older intermediate certificates expired; so I updated the chain file.
>>
>> Now I'm getting:
>>
>> Tue Jun 2 22:21:17 2020 630517: DEBUG: EAP result: 1, EAP TTLS
>> Handshake unsuccessful: 2861: 1 - error:14094418:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>
>> so from "unknown ca" I have to assume I screwed up the chain.
>
> It also could be that client profile does not trust the new root CA or
> it's not present in client's CA certificate storage.
>
>> Is there a way similar to "openssl s_client" to pull the certificate
>> chain from Radiator? I just want to confirm what cert chain is being
>> offered.
>
> Wireshark could also work here. If you capture RADIUS with TLS backed
> EAP, such as PEAP, wireshark can reconstruct TLS handshake from the
> capture.
>
> Edit: just noticed that you're looking at rad_eap_test. Please let us
> know how it goes.
>
> Thanks,
> Heikki
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4188 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200603/96afb3fd/attachment.p7s>
More information about the radiator
mailing list