EAP-TLS for Remote Users

TuncayBAS · ‎09-02-2024

Hi,

It is trying to do certified EAP-TLS for remote users on ldap.

I created a Fortiauthenticator local ca as CA.
While there is no problem with local users, it gives an error with remote ldap users.

On the Create New User Certificate screen, I used the remote user name as Name (CN).

I imported the CA and user certificate to the PC, but it did not work.

The same process works with local users.

What could be the reason?

2024-09-02T12:08:04.633327+03:00 fac radiusd[16808]: (144) authorize {
2024-09-02T12:08:04.633338+03:00 fac radiusd[16808]: (144) [preprocess] = ok
2024-09-02T12:08:04.633345+03:00 fac radiusd[16808]: (144) [chap] = noop
2024-09-02T12:08:04.633350+03:00 fac radiusd[16808]: (144) [mschap] = noop
2024-09-02T12:08:04.633356+03:00 fac radiusd[16808]: (144) [digest] = noop
2024-09-02T12:08:04.633363+03:00 fac radiusd[16808]: (144) eap: Peer sent EAP Response (code 2) ID 204 length 17
2024-09-02T12:08:04.633368+03:00 fac radiusd[16808]: (144) eap: No EAP Start, assuming it's an on-going EAP conversation
2024-09-02T12:08:04.633376+03:00 fac radiusd[16808]: (144) [eap] = updated
2024-09-02T12:08:04.633382+03:00 fac radiusd[16808]: (144) [expiration] = noop
2024-09-02T12:08:04.633387+03:00 fac radiusd[16808]: (144) [logintime] = noop
2024-09-02T12:08:04.633410+03:00 fac radiusd[16808]: (144) facauth: facauth: recv Access-Request from 192.168.100.61 port 1314, id=123, length=311
2024-09-02T12:08:04.633415+03:00 fac radiusd[16808]: User-Name = "user.01"
2024-09-02T12:08:04.633420+03:00 fac radiusd[16808]: NAS-IP-Address = 0.0.0.0
2024-09-02T12:08:04.633425+03:00 fac radiusd[16808]: NAS-Identifier = "172.16.17.12/5246-eap.tls"
2024-09-02T12:08:04.633430+03:00 fac radiusd[16808]: Called-Station-Id = "04-D5-90-A5-BE-60:eap.tls"
2024-09-02T12:08:04.633434+03:00 fac radiusd[16808]: NAS-Port-Type = Wireless-802.11
2024-09-02T12:08:04.633440+03:00 fac radiusd[16808]: Service-Type = Framed-User
2024-09-02T12:08:04.633444+03:00 fac radiusd[16808]: NAS-Port = 1
2024-09-02T12:08:04.633448+03:00 fac radiusd[16808]: Fortinet-SSID = "eap.tls"
2024-09-02T12:08:04.633453+03:00 fac radiusd[16808]: Fortinet-AP-Name = "FP221E551XXXXXXXX"
2024-09-02T12:08:04.633457+03:00 fac radiusd[16808]: Calling-Station-Id = "34-02-86-01-CC-41"
2024-09-02T12:08:04.633462+03:00 fac radiusd[16808]: Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11N_2G"
2024-09-02T12:08:04.633467+03:00 fac radiusd[16808]: Acct-Session-Id = "66B4C822000001F4"
2024-09-02T12:08:04.633472+03:00 fac radiusd[16808]: Acct-Multi-Session-Id = "B4BC8EAFDC86E8B0"
2024-09-02T12:08:04.633476+03:00 fac radiusd[16808]: WLAN-Pairwise-Cipher = 1027076
2024-09-02T12:08:04.633481+03:00 fac radiusd[16808]: WLAN-Group-Cipher = 1027076
2024-09-02T12:08:04.633485+03:00 fac radiusd[16808]: WLAN-AKM-Suite = 1027073
2024-09-02T12:08:04.633490+03:00 fac radiusd[16808]: Framed-MTU = 1400
2024-09-02T12:08:04.633494+03:00 fac radiusd[16808]: EAP-Message = 0x02cc00110d800000000715030300020230
2024-09-02T12:08:04.633499+03:00 fac radiusd[16808]: State = 0x26acbcf02560b12454c568aaaa751fd4
2024-09-02T12:08:04.633503+03:00 fac radiusd[16808]: Message-Authenticator = 0x92a72f9721cd8520a6239d5a949ae32b
2024-09-02T12:08:04.633509+03:00 fac radiusd[16808]: Event-Timestamp = "Sep 2 2024 12:08:04 EAT"
2024-09-02T12:08:04.633515+03:00 fac radiusd[16808]: EAP-Type = TLS
2024-09-02T12:08:04.633519+03:00 fac radiusd[16808]: (144) facauth: ===>NAS IP:192.168.100.61
2024-09-02T12:08:04.633525+03:00 fac radiusd[16808]: (144) facauth: ===>Username:user.01
2024-09-02T12:08:04.633532+03:00 fac radiusd[16808]: (144) facauth: ===>Timestamp:1725268084.632969, age:0ms
2024-09-02T12:08:04.633549+03:00 fac radiusd[16808]: (144) facauth: Comparing client IP 192.168.100.61 with authclient education.vlan.clients (192.168.77.0/24, 256 IPs)
2024-09-02T12:08:04.633559+03:00 fac radiusd[16808]: (144) facauth: Comparing client IP 192.168.100.61 with authclient rzk.wifi (192.168.66.0/24, 256 IPs)
2024-09-02T12:08:04.633564+03:00 fac radiusd[16808]: (144) facauth: Comparing client IP 192.168.100.61 with authclient server.vlan.clients (192.168.200.0/24, 256 IPs)
2024-09-02T12:08:04.633569+03:00 fac radiusd[16808]: (144) facauth: Comparing client IP 192.168.100.61 with authclient mgmt.vlan.clients (192.168.100.0/24, 256 IPs)
2024-09-02T12:08:04.633574+03:00 fac radiusd[16808]: (144) facauth: ------> matched!
2024-09-02T12:08:04.633579+03:00 fac radiusd[16808]: (144) facauth: Found authclient from preloaded authclients list for 192.168.100.61: mgmt.vlan.clients (192.168.100.0/24)
2024-09-02T12:08:04.633584+03:00 fac radiusd[16808]: (144) facauth: authclient_id:9 auth_type:'eap-tls'
2024-09-02T12:08:04.634314+03:00 fac radiusd[16808]: (144) facauth: Checking 192.168.100.0/24 (eap.tls.policy): vendor 12356, attr 7 --> "eap.tls" (allow substring match)
2024-09-02T12:08:04.634330+03:00 fac radiusd[16808]: (144) facauth: Found vendor 12356, attr 7 --> "eap.tls"
2024-09-02T12:08:04.634335+03:00 fac radiusd[16808]: (144) facauth: Found authpolicy 'eap.tls.policy' for client '192.168.100.0/24'
2024-09-02T12:08:04.634346+03:00 fac radiusd[16808]: (144) facauth: Client type: external (subtype: radius)
2024-09-02T12:08:04.634353+03:00 fac radiusd[16808]: (144) facauth: Input raw_username: user.01 Realm: (null) username: user.01
2024-09-02T12:08:04.634357+03:00 fac radiusd[16808]: (144) facauth: Searching default realm as well
2024-09-02T12:08:04.634363+03:00 fac radiusd[16808]: (144) facauth: Realm not specified, default goes to remote LDAP, id: 1
2024-09-02T12:08:04.634368+03:00 fac radiusd[16808]: (144) facauth: FAC local user overrides, try searching local user first
2024-09-02T12:08:04.634751+03:00 fac radiusd[16808]: (144) facauth: Cannot find local user user.01
2024-09-02T12:08:04.634764+03:00 fac radiusd[16808]: (144) facauth: Local user not found, try searching remote user
2024-09-02T12:08:04.634771+03:00 fac radiusd[16808]: (144) facauth: Loaded remote ldap (regular bind) 192.168.77.100:636
2024-09-02T12:08:04.635074+03:00 fac radiusd[16808]: (144) facauth: skip ldap user search
2024-09-02T12:08:04.635087+03:00 fac radiusd[16808]: (144) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2024-09-02T12:08:04.635093+03:00 fac radiusd[16808]: (144) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2024-09-02T12:08:04.635098+03:00 fac radiusd[16808]: (144) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2024-09-02T12:08:04.635110+03:00 fac radiusd[16808]: (144) [facauth] = noop
2024-09-02T12:08:04.635117+03:00 fac radiusd[16808]: (144) [pap] = noop
2024-09-02T12:08:04.635122+03:00 fac radiusd[16808]: (144) } # authorize = updated
2024-09-02T12:08:04.635128+03:00 fac radiusd[16808]: (144) Found Auth-Type = eap
2024-09-02T12:08:04.635139+03:00 fac radiusd[16808]: (144) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-09-02T12:08:04.635143+03:00 fac radiusd[16808]: (144) authenticate {
2024-09-02T12:08:04.635152+03:00 fac radiusd[16808]: (144) eap: Expiring EAP session with state 0x26acbcf02560b124
2024-09-02T12:08:04.635158+03:00 fac radiusd[16808]: (144) eap: Finished EAP session with state 0x26acbcf02560b124
2024-09-02T12:08:04.635164+03:00 fac radiusd[16808]: (144) eap: Previous EAP request found for state 0x26acbcf02560b124, released from the list
2024-09-02T12:08:04.635172+03:00 fac radiusd[16808]: (144) eap: Peer sent packet with method EAP TLS (13)
2024-09-02T12:08:04.635177+03:00 fac radiusd[16808]: (144) eap: Calling submodule eap_tls to process data
2024-09-02T12:08:04.635184+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) EAP Peer says that the final record size will be 7 bytes
2024-09-02T12:08:04.635188+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) EAP Got all data (7 bytes)
2024-09-02T12:08:04.635204+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) recv TLS 1.2 Alert, fatal unknown_ca
2024-09-02T12:08:04.635214+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate. Please update the client so that it knows about the CA.
2024-09-02T12:08:04.635220+03:00 fac radiusd[16808]: (144) eap_tls: ERROR: (TLS) Alert read:fatal:unknown CA
2024-09-02T12:08:04.635231+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) Server : Need to read more data: error
2024-09-02T12:08:04.635242+03:00 fac radiusd[16808]: (144) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2024-09-02T12:08:04.635254+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) In Handshake Phase
2024-09-02T12:08:04.635258+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) Application data.
2024-09-02T12:08:04.635263+03:00 fac radiusd[16808]: (144) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
2024-09-02T12:08:04.635269+03:00 fac radiusd[16808]: (144) eap_tls: ERROR: [eaptls process] = fail
2024-09-02T12:08:04.635277+03:00 fac radiusd[16808]: (144) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
2024-09-02T12:08:04.635285+03:00 fac radiusd[16808]: (144) eap: Sending EAP Failure (code 4) ID 204 length 4
2024-09-02T12:08:04.635308+03:00 fac radiusd[16808]: (144) eap: Failed in EAP select
2024-09-02T12:08:04.635318+03:00 fac radiusd[16808]: (144) [eap] = invalid
2024-09-02T12:08:04.635323+03:00 fac radiusd[16808]: (144) } # authenticate = invalid
2024-09-02T12:08:04.635328+03:00 fac radiusd[16808]: (144) Failed to authenticate the user

Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS

Therejorty · ‎09-02-2024

I'm not entirely sure what's causing this error either. From what I remember, the problem might be related to the LDAP configuration or how the remote user's certificate is being handled.

EAP-TLS for Remote Users

Nominate a Forum Post for Knowledge Article Creation