Community discussions

MikroTik App
 
flameproof
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Tue Sep 01, 2015 3:17 pm

RB client won't accept EAP-TTLS certificate from RADIUS

Sun Jul 23, 2017 1:49 am

Hi all,

I'm stumped by this problem, I have some RB connecting as wireless clients to a RB AP running in EAP mode, against a RADIUS server. I am using signed certificates for a valid domain, so no self-generated ones. No matter what I try, RADIUS ends up throwing up this:
Reply-Message = "EAP TTLS Handshake unsuccessful:  16031: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<10>"
Other devices such as mobile phones work fine. If I disable certificate verification in the RB client's security profile, it also connects OK. I suspect the RB doesn't like the CA signing the certificate, so my main question is, what SSL certificate from which CA do I need to get that will pass Mikrotik's verification?

I cannot install certificates in the clients, so that's a no-no.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: RB client won't accept EAP-TTLS certificate from RADIUS

Sun Jul 23, 2017 12:39 pm

ROS needs the complete CA root chain, or you'll see these issues.

There are online tools that allow to test if the CA root chain is complete, Digicert for example.
I suspect the RB doesn't like the CA signing the certificate, so my main question is, what SSL certificate from which CA do I need to get that will pass Mikrotik's verification?
That's something only you could research, it will depend on your certificate issuer, if the CA root chain is not complete, you'll have to ask the issuer for the complete CA root chain, or dig it for yourself and add all the certs in the intermediate root chain so that is handed over correctly to clients.

Sadly, this is common amongst cheap certificate issuers.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
flameproof
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Tue Sep 01, 2015 3:17 pm

Re: RB client won't accept EAP-TTLS certificate from RADIUS

Sun Jul 23, 2017 5:05 pm

Thanks for your input. I have investigated further, and find that NameCheap issues a bundle composed of:

#1 COMODO RSA Certification Authority (as the root)
#2 COMODO RSA Domain Validation Secure Server CA (issued by #1)

But I have found that #1 is actually issued by AddTrust External CA Root, of which I have found the certificate. I have added the certificates to my Radiator server thus:

NameCheap certificate
COMODO RSA Certification Authority
COMODO RSA Domain Validation Secure Server CA
AddTrust External CA Root

What I can see is that the AddTrust certificate uses SHA1, whereas the NameCheap cert uses SHA256, and the two Comodo certificates SHA384. Now, if I import the AddTrust External CA Root certificate into the RB, the EAP process completes just fine. If I remove it, I get back to the "unknown ca" error. No matter what combination of certificates I use on the RADIUS server, the RB refuses to work.

I have also generated two self-signed certificates, one SHA1 and one SHA2, and the RB happily takes them (installing the CA root in the RB of course), so I know the RADIUS server is capable of supplying the certificates OK.

Totally stumped - it would be good to know what root CAs does Mikrotik trust?
 
flameproof
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Tue Sep 01, 2015 3:17 pm

Re: RB client won't accept EAP-TTLS certificate from RADIUS

Sun Jul 23, 2017 6:25 pm

I have been testing the RADIUS server further using eapol_test (found in wpa_supplicant). The SSL certificate chain sent by RADIUS is now correct:
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
/OU=Domain Control Validated/OU=PositiveSSL/CN=[RADIUS_FQDN]
If I run eapol_test with server certificate validation, I can only get a successful run if I do it against AddTrust External CA Root (saved in a local .crt file). If I try to validate using any of the Comodo certificates, the process fails. So, some conclusions:

1. You were right in that I didn't have the complete chain
2. Once the complete chain is available and confirmed supplied correctly by RADIUS, the RB still refuses to connect (unknown ca)
3. If the AddTrust External CA Root certificate is installed in the RB, the process completes fine.

I'd still like to know how (or if) it's possible to get the RB to accept a server certificate without having to pre-install it (without using skip certificate validation of course!)
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: RB client won't accept EAP-TTLS certificate from RADIUS

Mon Jul 24, 2017 11:23 am

3. If the AddTrust External CA Root certificate is installed in the RB, the process completes fine.

I'd still like to know how (or if) it's possible to get the RB to accept a server certificate without having to pre-install it (without using skip certificate validation of course!)
Only ROS limitation is it needs the CA to contain the complete CA chain (on the server).

As you noticed, cheap certs CA's will have a mix of different authorities external to them, and the root chain in the CA they provide you won't be complete.

Solution: install complete CA chain on the server manually, or get the Cert from a non reseller issuer that hands you the complete CA.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
flameproof
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Tue Sep 01, 2015 3:17 pm

Re: RB client won't accept EAP-TTLS certificate from RADIUS

Mon Jul 24, 2017 2:06 pm

Only ROS limitation is it needs the CA to contain the complete CA chain (on the server).
But this is the case - my server is sending the full chain including the root CA that's used for the two intermediates. As they say, the proof is in the pudding, so I've gone out and spent $300 on two SSL certificates issued directly by Thawte, no intermediaries. One is signed by a SHA1 root, the other signed by a SHA256 root. This time there is only one intermediate certificate.

I have tested both certificates on the RADIUS server, and in both cases, the same result: unknown ca. Thus, I think the problem is that either Mikrotik has no built-in root certificates to check against, and thus the root CA MUST be installed, in which case it doesn't make sense to pay for a certificate, OR there is a problem with the validation process inside the RB.

Who is online

Users browsing this forum: RogerWilco, server8 and 37 guests