[RADIATOR] PEAP authentication errors

Heikki Vatiainen hvn at open.com.au
Wed Jan 29 07:02:13 CST 2014 

On 01/29/2014 01:53 AM, Jeff Lee wrote:

> I'm having issues with authenticating PEAP requests, and I'm not sure
> what is the issue.
> Could someone shed some light… ?

Problem with verify_locations might be caused by missing CA certificate.
Have you checked if
EAPTLS_CAFile %D/certificates/AddTrustExternalCARoot.pem

really exists? Also, is the error message below complete? When I try
with a missing certificate, there are additional lines like below:

Wed Jan 29 14:54:42 2014: ERR: TLS could not load_verify_locations
./certificates/demoCA/cacert.pem, :  4707: 1 - error:25066067:DSO
support routines:DLFCN_LOAD:could not load the shared library
 4707: 2 - error:25070067:DSO support routines:DSO_load:could not load
the shared library
 4707: 3 - error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
 4707: 4 - error:2606A074:engine routines:ENGINE_by_id:no such engine
 4707: 5 - error:02001002:system library:fopen:No such file or directory
 4707: 6 - error:2006D080:BIO routines:BIO_new_file:no such file
 4707: 7 - error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib

Also note that the name of missing file is shown after
load_verify_locations but that might be caused by different OpenSSL and
Net-SSLEeay versions.

I would first check if the CA cert exists and is readable.

Thanks,
Heikki

> Mon Jan 27 22:30:05 2014: ERR: TLS could not load_verify_locations , : 
> 10884: 1 - error:25066067:DSO support routines:DLFCN_LOAD:could not load
> the shared library
> 10884: 2 - error:25070067:DSO support routines:DSO_load:could not load
> the shared library
> 10884: 3 - error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
> 10884: 4 - error:2606A074:engine routines:ENGINE_by_id:no such engine
> 
> 
> * * * * * *
> below is the handler config, which I've placed to the last of the
> handler list, which means this is the almost the last bit of the config
> file (radius.cfg).
> 
> 
> #
> ------------------------------------------------------------------------------------------
> # This is where the PEAP inner request appears
> # The username of the inner request will be anonymous, although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> # With the EAP_PEAP_MSCHAP_Convert flag set, the EAP-MSCHAPV2 request is
> converted
> # into conventional Radius-MSCHAPV2 and redespatched to the <Handler
> ConvertedFromEAPMSCHAPV2=1>
> # above.
> <Handler TunnelledByPEAP=1>
>     <AuthBy FILE>
>         # Dont really need this
> #        Filename %D/users
> 
>         # This tells the PEAP client what types of inner EAP requests
>         # we will honour
>         EAPType MSCHAP-V2
> 
>         # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>         # an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler
>         # that matches ConvertedFromEAPMSCHAPV2=1 (see above)
>         EAP_PEAP_MSCHAP_Convert 1
>     </AuthBy>
> </Handler>
> 
> 
> #
> ------------------------------------------------------------------------------------------
> # Processes all 'outer' EAP requests - skips non-EAP requests leaving to
> next <Handler>
> <Handler EAP-Message=/.+/>
>     <AuthBy FILE>
>         Filename %D/users
>         EAPType TTLS
>         #EAPType TTLS, PEAP
>         EAPTLS_CAFile %D/certificates/AddTrustExternalCARoot.pem
>         EAPTLS_CertificateFile %D/certificates/my-cert.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile %D/certificates/my-cert.key.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000
>         AutoMPPEKeys
>         EAPTLS_PEAPVersion 0
>     </AuthBy>
> </Handler>
> 
> 
> 
> 
> 
> 
> regards,
> Jeff
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list