EAP-TLS：freeradiusでp12キーを確認する方法は？

Question

EAP-TLSのみの構成でRadiusサーバーをインストールしました。ルートCAとクライアント証明書の両方を含むことになっているclient.p12ファイルがあります。

p12キーを追加しました
- https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Freeradius%3A_Configure_Windows_7_with_an_EAP-TLS_wireless_profile
SSIDを構成しましたが、freeradiusのデバッグメッセージで、freeradiusがキー/証明書を検証できないようです。

error 20 at 0 depth lookup: unable to get local issuer certificate (25) eap_tls: ERROR: Program returned code (2) and output 'error /tmp/radiusd/radiusd.client.XXK1l6r6: verification failed' tls: Certificate CN (testuser@****.com) fails external verification! (25) eap_tls: >>> send TLS 1.2 [length 0002] (25) eap_tls: ERROR: TLS Alert write:fatal:internal error tls: TLS_accept: Error in error (25) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (25) eap_tls: ERROR: System call (I/O) error (-1) (25) eap_tls: ERROR: TLS receive handshake failed during operation (25) eap_tls: ERROR: [eaptls process] = fail (25) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (25) eap: Sending EAP Failure (code 4) ID 7 length 4 (25) eap: Failed in EAP select (25) [eap] = invalid (25) } # authenticate = invalid (25) Failed to authenticate the user (25) Using Post-Auth-Type Reject (25) # Executing group from file /etc/freeradius/3.0/sites-enabled/***network (25) Post-Auth-Type REJECT { (25) attr_filter.access_reject: EXPAND %{User-Name} (25) attr_filter.access_reject: --> testuser@@****..com (25) attr_filter.access_reject: Matched entry DEFAULT at line 11 (25) [attr_filter.access_reject] = updated (25) } # Post-Auth-Type REJECT = updated (25) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (25) Sending delayed response (25) Sent Access-Reject Id 25 from 172.17.0.2:1812 to 172.17.0.1:33331 length 44 (25) EAP-Message = 0x04070004 (25) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (20) Cleaning up request packet ID 20 with timestamp +1661 (21) Cleaning up request packet ID 21 with timestamp +1661 (22) Cleaning up request packet ID 22 with timestamp +1661 (23) Cleaning up request packet ID 23 with timestamp +1661 (24) Cleaning up request packet ID 24 with timestamp +1661 (25) Cleaning up request packet ID 25 with timestamp +1661 Ready to process requests

質問：Windowsからすべてをセットアップせずに、CLIでp12キーを使用してfreeradiusサーバーをテストするにはどうすればよいですか？

Alexis_FR_JP · Accepted Answer

私はここで解決策を見つけました：

http://lists.freeradius.org/pipermail/freeradius-users/2016-March/082736.html

client_certクライアント証明書はすでにp12ファイルに存在するため、必要ありません。

eapol_test.conf.tls：

network={ key_mgmt=WPA-EAP identity="myusername" proto=WPA2 eap=TLS ca_cert="/tmp/clients/ca.pem # client_cert="/tmp/clients/clientcertpem" # Useless, the certificate is already in the p12 file private_key="/tmp/clients/client.p12" private_key_passwd="xxxxx" }

次のコマンドを実行します：eapol_test -c eapol_test.conf.tls -a 127.0.0.1 -p 1812 -s testing123 -r1