在執行EAP-TLS認證過程中,可能會出現下面的錯誤(但是使用openssl驗證證書卻沒有發現問題):
rad_recv: Access-Request packet from host 192.168.1.100 port 60774, id=97, length=275
User-Name = "[email protected]"
NAS-IP-Address = 192.168.1.100
NAS-Port = 0
Called-Station-Id = "00-11-74-D0-39-80:Scott_2.4_08"
Calling-Station-Id = "3C-A9-F4-74-72-8C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02c000650d005db20b491882d8b2836a3e7367ced892ee79feab01ab063fe93e6c0fa118a3d29d892641140301000101160301003053da9ab27c15fdcf594be064427ba01a8b89b99921da699a19614c042348123d63c9f8bee6f9d3d73033fe169485e35e
State = 0x7100e50775c0e8bbcfd83df2c247dfbc
Message-Authenticator = 0x0a8f6ba7555c880f5fd685b040c23f1d
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
[eap] EAP packet type response id 192 length 101
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 03dd], Certificate
--> verify error:num=9:certificate is not yet valid
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert write:fatal:bad certificate
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:lib(20):func(137):reason(178)
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Delaying reject of request 67 for 1 seconds
Going to the next request
Waking up in 0.2 seconds.
Cleaning up request 60 ID 90 with timestamp +212
Waking up in 0.7 seconds.
Sending delayed reject for request 67
Sending Access-Reject of id 97 to 192.168.1.100 port 60774
EAP-Message = 0x04c00004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.3 seconds.
跟蹤openssl部分的代碼可以發現,產生bad_certificate錯誤的原因可能是證書的時間檢查出現了問題,此時需要檢查系統時間與證書的有效期。最好修改系統時間在證書的開始時間之後。