Bug #11054


Check Client Certificate CN not working as described

Added by Anonymous over 2 years ago. Updated over 1 year ago.

Viktor Gurov
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:


Page: Services / FreeRADIUS
Tab: EAP
Section: EAP-TLS
Option: Check Client Certificate CN

Actual result when enabled:

A user attempting TLS authentication with a certificate signed by the configured CA, and with a common name matching the user-provided identity, passes authentication even if that common name/identity is not a valid user configured under FreeRADIUS / Users. This option only seems to ensure the common name of the client certificate matches the user-provided identity.

Expected result when enabled:

A user attempting TLS authentication does not pass authentication unless the client certificate's common name is equal to the user-provided identity AND is a configured user under FreeRADIUS / Users, as alluded to by the description.

Actions #1

Updated by Viktor Gurov about 2 years ago


> On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
>> Therefore I'm a bit puzzled that if no matching entry in users
>> is found that the authentication still takes place.

authorize {
        if (notfound || noop) {

Actions #3

Updated by Renato Botelho about 2 years ago

  • Status changed from New to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #4

Updated by Viktor Gurov about 2 years ago

more fixes:
- Fixes SQL backend user existing check;
- Fixes counters issue (`$varsqlconfauthcounters` lines)

(6) exec: Executing: /bin/sh /usr/local/etc/raddb/scripts/ raduser1 daily:
(6) exec: ERROR: Program returned code (99) and output ''
(6) exec: ERROR: Program returned invalid code (greater than max rcode) (99 > 9)

Actions #5

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Pull Request Review
Actions #6

Updated by Renato Botelho about 2 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #7

Updated by Azamat Khakimyanov over 1 year ago

  • Status changed from Feedback to Assigned

Tested on 21.05_2 and on 22.01-DEVELOPMENT (built on Tue Dec 14 06:23:27 UTC 2021)

I can't make EAP-TLS working for EAP-RADIUS Mobile IPsec with Ubuntu as a Client.
1. I created Mobile IPsec with local FreeRadius as an Authentication Server,
2. I create CA and Server and Client Certificates (used
- Server Certificate had Server IP as a CN
- Client Certificate had client username as a CN

3. remote IPsec client was Ubuntu 21.10 with IKE2 module installed
4. whatever I was changing on client I always got
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) EAP Peer says that the final record size will be 157 bytes
(5) eap_tls: (TLS) EAP Got all data (157 bytes)
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(5) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
(5) eap_tls: (TLS) send TLS 1.2 Alert, fatal handshake_failure
(5) eap_tls: ERROR: (TLS) Alert write:fatal:handshake failure
(5) eap_tls: ERROR: (TLS) Server : Error in error
(5) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
(5) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(5) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(5) eap_tls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
in log on FreeRadius Server.
and on Ubuntu
Dec 14 14:17:06 Ubuntu charon-nm: 09[TLS] received TLS cert request for 'CN=NewCA, C=RU, ST=Leningradskaya, L=Saint-Petersburg, O=Netgate, OU=Support TAC
Dec 14 12:22:21 Ubuntu charon-nm: 14[TLS] no TLS peer certificate found for 'newuser', skipping client authentication
Dec 14 12:22:22 Ubuntu charon-nm: 12[ENC] parsed IKE_AUTH response 7 [ EAP/FAIL ]
Dec 14 12:22:22 Ubuntu charon-nm: 12[IKE] received EAP_FAILURE, EAP authentication failed

I was able to initiate IPsec tunnel from Windows 10 by following this guide again:
but there were no difference if I checked on unchecked 'Validate the Client Certificate Common Name' - I was able to connect with any CN. For example there was no vpnuser1 in FreeRadius but I was able to authenticate successfully
(7) Login OK: [vpnuser1/<via Auth-Type = eap>] (from client radius port 12 cli
(7) Sent Access-Accept Id 137 from to length 176
(7) MS-MPPE-Recv-Key = 0x9faff18c5724fe06f84022b8b4238c14a2c8ddeacbff90d03c143d0109c61f26
(7) MS-MPPE-Send-Key = 0xcb63c265dfdb820fb559667f71d3034fa3204f2694cf557ec2bf7ac2cb305494
(7) EAP-Message = 0x03070004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = "vpnuser1"
(7) Framed-MTU += 994
(7) Finished request
but yes, there were user certificate with CN: vpnuser1


Also available in: Atom PDF