Setting up Freeradius - Not getting client prompt for Cert acceptance [RESOVLED]



  • Setting up Freeradius for EAP-PEAP and believe I have everything setup and ready to go.  The problem is that when I have a client attempt to connect, I never see the prompt for the server cert I created in the pfsense cert manager.

    Have tried on two separate Win7 clients.  Not sure where to go from here.

    rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=119, length=224
            User-Name = "chris"
            Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
            Calling-Station-Id = "00-27-10-51-50-F4"
            Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
            Symbol-Current-ESSID = "NULL-T"
            NAS-Port = 1
            NAS-Port-Type = Wireless-802.11
            Framed-MTU = 1400
            Service-Type = Framed-User
            NAS-IP-Address = 192.168.0.101
            NAS-Identifier = "7131-DRm"
            NAS-Port-Id = "radio2"
            Connect-Info = "CONNECT 300Mbps 802.11an"
            EAP-Message = 0x0201000a016368726973
            Message-Authenticator = 0xec13edf1bb0cbebf4d17ceb0b0cd1b8e
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "chris", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 1 length 10
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] returns updated
    [files] users: Matched entry chris at line 2
    ++[files] returns ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] returns noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: 00-27-10-51-50-F4
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] returns notfound
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] Normalizing MD5-Password from hex encoding
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] EAP Identity
    [eap] processing type tls
    [tls] Initiate
    [tls] Start returned 1
    ++[eap] returns handled
    Sending Access-Challenge of id 119 to 192.168.0.101 port 1071
            EAP-Message = 0x010200061920
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0x049e6912049c7011beb991aee0a3b1c2
    Finished request 30.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=120, length=337
            User-Name = "chris"
            Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
            Calling-Station-Id = "00-27-10-51-50-F4"
            Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
            Symbol-Current-ESSID = "NULL-T"
            NAS-Port = 1
            NAS-Port-Type = Wireless-802.11
            Framed-MTU = 1400
            Service-Type = Framed-User
            NAS-IP-Address = 192.168.0.101
            NAS-Identifier = "7131-DRm"
            NAS-Port-Id = "radio2"
            Connect-Info = "CONNECT 300Mbps 802.11an"
            State = 0x049e6912049c7011beb991aee0a3b1c2
            EAP-Message = 0x0202006919800000005f160301005a010000560301515cd999803d50ec34314f837e3ca5a084ded764701a3ca7abf7fa16edaf277b000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
            Message-Authenticator = 0x30375bd20ca2e7ae301002aab17c6913
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "chris", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 2 length 105
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
      TLS Length 95
    [peap] Length Included
    [peap] eaptls_verify returned 11 
    [peap]     (other): before/accept initialization
    [peap]     TLS_accept: before/accept initialization
    [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello  
    [peap]     TLS_accept: SSLv3 read client hello A
    [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello  
    [peap]     TLS_accept: SSLv3 write server hello A
    [peap] >>> TLS 1.0 Handshake [length 097e], Certificate  
    [peap]     TLS_accept: SSLv3 write certificate A
    [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    [peap]     TLS_accept: SSLv3 write server done A
    [peap]     TLS_accept: SSLv3 flush data
    [peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
    In SSL Handshake Phase 
    In SSL Accept mode  
    [peap] eaptls_process returned 13 
    [peap] EAPTLS_HANDLED
    ++[eap] returns handled
    Sending Access-Challenge of id 120 to 192.168.0.101 port 1071
            EAP-Message = 0x0103040019c0000009c216030100310200002d0301515cd998ffb57c469c3a29b30496288244578726bf4dbf35a3d9ef70bf27316600002f000005ff01000100160301097e0b00097a0009770004f1308204ed308203d5a003020102020102300d06092a864886f70d010105050030818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361301e
            EAP-Message = 0x170d3133303430343031303135365a170d3233303430323031303135365a308192310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311c301a060355040313137261646975732e636b656c6c792e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c4139a9bec7714fd669a7d6be2f88d7533f80727d0ecc14226b74354750415c67c7b9f98446b51bd23
            EAP-Message = 0x1ffe5ebd1ec5aed27224c8aa0d078e431e74f55beee85fde0195c083c66ddc917164f156b201e46004c592e51c3e0693f847f8ff4675e34ab16909a2680216f55b4e99501bddb5b1c32ec0b4ce84589fde697581c3b5912a4b4b1a659aa37e8c83e241a8df17814be4db87fb1b7e0d30475176b4d898116208e3abbe5a7bba503f5cec9a6b14295b2edc6ed2ea545cfbf8285602d7a39f05d69d04e4e9ede331c052a3fd0b6575999623064e3b4a61dd53b52f4e27ffcbcc056be478e0addc0a83a5cfe12283863e37ccfa85d29747e0840655f89794290203010001a38201523082014e30090603551d1304023000301106096086480186f842010104
            EAP-Message = 0x0403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e04160414c40e05c372c7367fc05ec3b7637c88a74cb122813081b70603551d230481af3081ac80140ffb11356c6450890b4abe34d471c347b066369da18190a4818d30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430
            EAP-Message = 0x120603550403130b696e7465
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0x049e6912059d7011beb991aee0a3b1c2
    Finished request 31.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=121, length=238
            User-Name = "chris"
            Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
            Calling-Station-Id = "00-27-10-51-50-F4"
            Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
            Symbol-Current-ESSID = "NULL-T"
            NAS-Port = 1
            NAS-Port-Type = Wireless-802.11
            Framed-MTU = 1400
            Service-Type = Framed-User
            NAS-IP-Address = 192.168.0.101
            NAS-Identifier = "7131-DRm"
            NAS-Port-Id = "radio2"
            Connect-Info = "CONNECT 300Mbps 802.11an"
            State = 0x049e6912059d7011beb991aee0a3b1c2
            EAP-Message = 0x020300061900
            Message-Authenticator = 0x69f5705b94d25d326a384f8cf51bb08b
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "chris", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 3 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] Received TLS ACK
    [peap] ACK handshake fragment handler
    [peap] eaptls_verify returned 1 
    [peap] eaptls_process returned 13 
    [peap] EAPTLS_HANDLED
    ++[eap] returns handled
    Sending Access-Challenge of id 121 to 192.168.0.101 port 1071
            EAP-Message = 0x010403fc1940726e616c2d636182010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100263fadbadbe85dc29621ee1dc252de4124152a96a0a245481f7f53dd9d88759bd2d145cb0a9ffa53afe0b6dd2e55a504f821f0c85a1e38fdac567f95913f17473b8c93430e673194409a522acb6037f829686ae264653ee9b174151c60d5483f23d0545c5d00c067b20ae717049c940d10c6c5700b66457c175c66d87f8489c4781fa2d21cbc9126e724396c37835a354a5d1c1d1714d0783d0c9988c8bea3775c1c0d0c708517cf21239ee958488cbad9304f1946e2b4
            EAP-Message = 0xac20314f9daa1886266946fd8bebdcf6151f91da71f7f8ff1da25d7c1be1c6a25122b168631390aa8f86040fd7f2f824e6cfed20bb0c91f3a88fb1e204678be24edd2e1eec1dc135ef0004803082047c30820364a003020102020100300d06092a864886f70d010105050030818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361301e170d31
            EAP-Message = 0x33303430343030353833385a170d3233303430323030353833385a30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d636130820122300d06092a864886f70d01010105000382010f003082010a0282010100a6411b08e5017a5b84564912b8b59327f7c24a30f816a915b0af31c48564b6024058e0599324c7162df9bd3593e562d91c9cab3e
            EAP-Message = 0x790713244ad3493e809c5bb1794a547f1683b692bec74d8bc2fb7d7bdeafc832d0f8020175491d33c66b9e977cec8f7899b5b2791d3d19c0324ef3ea7dada2c524949de71959a9711ab62941e12d47561b90af29f3832f00d3dc5447cde009b051160bea1a1ca32fa6a0512f86dd2a29620c871f47a43565f7046490f69697ecad39152dd19f45a4f98cee64b5e80b39913d9cb9cd55294ef979ce699ad039db1de7a474699e4b998a5c4315c924f0ac98b21838a881a32b1fad6a0b32a2e1eac0b49b4aa2dc9d1f22efac570203010001a381ea3081e7301d0603551d0e041604140ffb11356c6450890b4abe34d471c347b066369d3081b70603551d
            EAP-Message = 0x230481af3081ac80
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0x049e6912069a7011beb991aee0a3b1c2
    Finished request 32.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=122, length=238
            User-Name = "chris"
            Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
            Calling-Station-Id = "00-27-10-51-50-F4"
            Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
            Symbol-Current-ESSID = "NULL-T"
            NAS-Port = 1
            NAS-Port-Type = Wireless-802.11
            Framed-MTU = 1400
            Service-Type = Framed-User
            NAS-IP-Address = 192.168.0.101
            NAS-Identifier = "7131-DRm"
            NAS-Port-Id = "radio2"
            Connect-Info = "CONNECT 300Mbps 802.11an"
            State = 0x049e6912069a7011beb991aee0a3b1c2
            EAP-Message = 0x020400061900
            Message-Authenticator = 0x1d3fd076d700c45bfbbbd5acdf9171c1
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "chris", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 4 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] Received TLS ACK
    [peap] ACK handshake fragment handler
    [peap] eaptls_verify returned 1 
    [peap] eaptls_process returned 13 
    [peap] EAPTLS_HANDLED
    ++[eap] returns handled
    Sending Access-Challenge of id 122 to 192.168.0.101 port 1071
            EAP-Message = 0x010501dc1900140ffb11356c6450890b4abe34d471c347b066369da18190a4818d30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005f71185515fedac98bf24b8843970db4f5a2aaa722c1189fb2074e238fdb87b3c516e7b0aeef4b5fcd9c
            EAP-Message = 0x5f01fb8b70a32589336685f9fa23ae42d2e7c620f8c1a6cc05b709fb8a5b87b841b1c3390529db1c2b3d3d8d1add0b48ae16f5c60c1245487096b531172114692c176338aa97a871479000defbc5caf42821d93c1fb7dea1a69e2851aab6a9fe73a5a1dfdce1ec55a0555576f6b03eba2dd3e2f28ddf87e9cb13bb692fb784b3e5e22befdfedc164c93d4d89098272cb0a7740c9cf7e1bd676fb0059b82fd33a3661055a1ccf7f70ea0a9c39aadb6a9214b838e4dacefaabab7a70e643ea1acdfea09f7942cf34c3ddc0d386290f5643dbacce0f05a216030100040e000000
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0x049e6912079b7011beb991aee0a3b1c2
    Finished request 33.
    Going to the next request
    Waking up in 4.7 seconds.
    rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=123, length=249
            User-Name = "chris"
            Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
            Calling-Station-Id = "00-27-10-51-50-F4"
            Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
            Symbol-Current-ESSID = "NULL-T"
            NAS-Port = 1
            NAS-Port-Type = Wireless-802.11
            Framed-MTU = 1400
            Service-Type = Framed-User
            NAS-IP-Address = 192.168.0.101
            NAS-Identifier = "7131-DRm"
            NAS-Port-Id = "radio2"
            Connect-Info = "CONNECT 300Mbps 802.11an"
            State = 0x049e6912079b7011beb991aee0a3b1c2
            EAP-Message = 0x0205001119800000000715030100020230
            Message-Authenticator = 0x0c8648b9543098dcc1f4cdd8f0d13113
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "chris", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 5 length 17
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
      TLS Length 7
    [peap] Length Included
    [peap] eaptls_verify returned 11 
    [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca  
    TLS Alert read:fatal:unknown CA
        TLS_accept: failed in SSLv3 read client certificate A
    rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
    SSL: SSL_read failed inside of TLS (-1), TLS session fails.
    TLS receive handshake failed during operation
    [peap] eaptls_process returned 4 
    [peap] EAPTLS_OTHERS
    [eap] Handler failed in EAP/peap
    [eap] Failed in EAP select
    ++[eap] returns invalid
    Failed to authenticate the user.
            expand:  -> 
    Login incorrect (TLS Alert read:fatal:unknown CA): [chris/<via auth-type="EAP">] (from client testAP port 1 cli 00-27-10-51-50-F4) 
    Using Post-Auth-Type Reject
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group REJECT {...}
    [attr_filter.access_reject]     expand: %{User-Name} -> chris
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] returns updated
    Delaying reject of request 34 for 1 seconds
    Going to the next request
    Waking up in 0.9 seconds.
    Sending delayed reject for request 34
    Sending Access-Reject of id 123 to 192.168.0.101 port 1071
            EAP-Message = 0x04050004
            Message-Authenticator = 0x00000000000000000000000000000000
    Waking up in 3.7 seconds.
    Cleaning up request 30 ID 119 with timestamp +998
    Cleaning up request 31 ID 120 with timestamp +998
    Cleaning up request 32 ID 121 with timestamp +998
    Cleaning up request 33 ID 122 with timestamp +998
    Waking up in 1.2 seconds.
    Cleaning up request 34 ID 123 with timestamp +999
    Ready to process requests.</via>
    


  • You have to create the CA and server cert on pfsense "Cert Manager" or you import it from somewhere else.
    After that go to:
    services –> freeradius --> EAP
    Select "CHose pfsense Cert Manager"
    empty the privat key password - you do not need any
    select your CA
    select your SERVER cert
    click save

    Sometimes it could help to click a second time "Save".

    On Windows you must make sure that the client has enabled to verify the CA. This is not always the case and can be disabled.
    Take a look here. It shows you the "validate server certificate"
    http://i.technet.microsoft.com/dynimg/IC120658.gif

    http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#PEAP_and_MSCHAPv2



  • That's pretty much how I have it set up.  The only difference was that I had set a Private Key password in the Certificates for TLS section in the EAP tab.  Tried saving a couple extra times too.
    No difference in the behavior though.



  • You can try to go to

    /usr/local/etc/raddb/certs/
    

    and delete the certificates there.

    After that go back to the GUI, select your CA and server cert and click save and make sure it places the certificates in the path I postet above.
    If it does then it should be ok.

    With the GUI tab "View config" you can check eap.conf if it points to the correct certificates.

    Did you disable the WEAP EAP types ? If you disabled them then please try to enable them and try again.

    From googleing:
    Are you using an intermediate certificate ?



  • Before I actually delete anything in the certs, directory, are you saying that I should delete all the files or just certain ones?

    I have already disabled the weak EAP types.  Once I get an answer for the above, I'll try with and w/o again.
    Regarding the Intermediate cert, don't think I am since I didn't do anything to set this up.  Just trying to setup a self-signed cert at this point…and from what I've been reading, I probably don't even want to use a root CA cert, for security reasons.  If you feel like responding this this subject, would love to hear your thoughts.  ;D

    [EDIT]
    In Cert Manager->Certificates, I deleted the existing CA and server certs I had previously created and then regenerated them.
    Looking the /certs dir, I do see new instances of (ca_cert.pem, ca_key.pem, server_cert.pem, and server_key.pem).
    Also enabled the weak EAP option.

    Still not being prompted to accepted cert though.

    Regarding the Intermediate cert: I'm assuming that I use the 'Create an Internal CA' option.  I did NOT use the Intermediate option.

    [EDIT-2]
    Found the culprit.
    Apparently, I needed to have the User 'Password Encryption' set to Cleartext, instead of MD5.



  • Yes of course. User password encryption must be cleartext. I didn't thought on this fact.  ::)
    The encryption on "Users" encrypts just the password in the users file. But if you do so then the authentication module must be able to decode this one. I am not to familar with that but as far as I know this works with PAP.



  • So it looks like I'm 99% there.

    If I configure the client to validate the server cert but do not specify any certs in the trusted root CA list, I get the 'Credentials provided by the server couldn't be validated' warning, and can choose to accept and connect…and it works.

    But, next I:
    Export the ca.crt from pfsense (Cert Manager->Certificates) and then import it into the Win7 client (added to both the Personal and root CA stores)
    Reconfigure the client to Validate the server cert that I imported, that is now listed in the list trusted root CAs
    Upon trying to connect, I enter my login info and then I get the message that I'm unable to connect.

    Looking at the CLI logs, I once again see messages:

    [peap] eaptls_verify returned 11
    [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca  
    TLS Alert read:fatal:unknown CA
       TLS_accept: failed in SSLv3 read client certificate A

    Seems like the client supplicant isn't making use of the ca cert I imported.
    I've tried deleting the cert on the client (using mmc) and re-importing the ca cert again.  No luck.

    [EDIT] Fixed it.
    Apparently I have a lot to learn about certs.
    I needed to export the CA cert that is listed under the "CAs" tab in the Cert Manager.
    What I had done was to export the cert that I thought was the CA cert that I created and was listed under the "certificates" tab.
    Still don't know the how/why this fixed it, but I'd really like to understand this better!  ;D



  • The client certificate and client key is for the clients only.
    The server certificate and key is for the server only.

    The CA certificate can be used by anyone but never never give the CA key to someone else or this person is able to create unlimited certificates based on this CA.

    The validation for the CA certificate is more a thing for the user on the client. If a client connects to a server which CA is called "My littly bunnies" but you want to connect to a server called "My Company" then the user should carfefule and make sure if he really wants to connect to the "wrong" server.

    On the server site the server checks the client certificate against the CA and with the CA key it is possible to verify if this client certificate is really created from that CA or from another.

    I am no CA/certificate expert but I hope this could help you a little bit. So to make it short:
    If you give something to a client then just:

    • CA.cert (not CA.key)

    • Client.cert

    • Client.key

    These things could come together in a .p12 file or in single files. It could be .crt, .pem, .der which is mostle the same but different formats for different systems.



  • Thanks, Nachtfalke!

    I've got everything working at this point….finally.  ;D

    Your explanations of different files helps too!  Much appreciated!


Locked