我已使用 EAP-TTLS/GTC 配置了 FreeRADIUS,并且我使用的是 Let's Encrypt 颁发的有效证书。该证书对 radius.foo.it 有效,并且我有 cert.pem、chain.pem、fullchain.pem 和 privkey.pem。我已将 FreeRADIUS eap 模块的 tls 部分配置如下:
private_key_file = ${certdir}/privkey.pem
certificate_file = ${certdir}/fullchain.pem
ca_file = ${cadir}/fullchain.pem
auto_chain = no
当我尝试使用较旧的 Android 设备连接到接入点时,没有遇到任何问题,因为它使用系统证书。使用 Linux 并将 CA 颁发机构指定为 Let's Encrypt 根,我也没有遇到任何问题。但是,当使用 iPad 时,系统提示我接受证书(这是正确的证书),但它声称它是不受信任的,尽管 Let's Encrypt 根是受信任的 CA 之一。使用较新版本的 Android,您可以在 3 个选项之间进行选择:不验证、请求证书状态和要求证书状态。前两个选项有效(通过输入 radius.foo.it 作为域),但出于安全原因,我希望第三个选项也能有效。但是,我收到此错误:
(13) eap: Peer sent EAP Response (code 2) ID 5 length 13
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/freeradius/sites-enabled/default
(13) authenticate {
(13) eap: Expiring EAP session with state 0xf0bbd072f4bec5d6
(13) eap: Finished EAP session with state 0xf0bbd072f4bec5d6
(13) eap: Previous EAP request found for state 0xf0bbd072f4bec5d6, released from the list
(13) eap: Peer sent packet with method EAP TTLS (21)
(13) eap: Calling submodule eap_ttls to process data
(13) eap_ttls: Authenticate
(13) eap_ttls: (TLS) EAP Done initial handshake
(13) eap_ttls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(13) eap_ttls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
(13) eap_ttls: ERROR: (TLS) Alert read:fatal:internal error
(13) eap_ttls: (TLS) Server : Need to read more data: error
(13) eap_ttls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000438:SSL routines::tlsv1 alert internal error
(13) eap_ttls: (TLS) In Handshake Phase
(13) eap_ttls: (TLS) Application data.
(13) eap_ttls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(13) eap_ttls: ERROR: [eaptls process] = fail
(13) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(13) eap: Sending EAP Failure (code 4) ID 5 length 4
配置肯定有问题,但说实话,我不知道是什么问题。有什么建议吗?
先感谢您。
PS 我 100%确定该证书有效,可以使用 openssl verify 或通过使用 Apache 创建带有 HTTPS 的虚拟主机来验证。