(RADIATOR) PEAP
Boontje, R.
R.Boontje at uva.nl
Tue Dec 17 09:43:56 CST 2002
I have some problems setting up the 802.1x/PEAP model with radiator.
Basically radiator is complaining:
Tue Dec 17 15:40:31 2002: ERR: TLS could not use_PrivateKey_file /usr/share/doc/Radiator-3.5/goodies/cert-srv.pem, 1: 18314: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start line
1) What happens?
I have a few additional questions:
2) The ../goodies/mkcertificate.sh makes apart from the server private key and certificate
a client private key and certificate as well. Why? (Is that actually for EAP-TLS only)
3) The "second part" of the mkcertificate.sh asks for a challenge password:
A challenge password [17challenge]:xs2peap
I assume that password should be the same as the one configured in eap_peap.cfg:
EAPTLS_PrivateKeyPassword xs2peap
Is that correct?
4) The script mkcertificate.sh asks several times for a Common name?
Can I choose a random name here or does this field relate to other
configuration parameters as well.
Thanks in advance for any help.
Configuration
-------------
Radiator 3.5 on Linux/RedHat
- configuration file based upon ../goodies/eap-peap.cfg
- server certificate produced with ../goodies/mkcertificate.sh
CISCO Access-point 11.23T
CISCO wireless clientadapter on WindowsXP
- Configured the adapter via WindowsXP
PEAP (authentication method: Secured password (EAP-MSCHAP-v2)
Radiator logs:
-------------
sh start-radiator
Tue Dec 17 15:40:18 2002: DEBUG: Reading users file /usr/share/doc/Radiator-3.5/users
Tue Dec 17 15:40:18 2002: DEBUG: Reading users file /usr/share/doc/Radiator-3.5/users
Tue Dec 17 15:40:18 2002: DEBUG: Finished reading configuration file '/usr/share/doc/Radiator-3.5/goodies/uva-peap.cfg'
Tue Dec 17 15:40:18 2002: DEBUG: Reading dictionary file '/usr/share/doc/Radiator-3.5/dictionary'
Tue Dec 17 15:40:18 2002: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Dec 17 15:40:18 2002: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Dec 17 15:40:18 2002: INFO: Server started: Radiator 3.5 on bombur.ic.uva.nl
Tue Dec 17 15:40:31 2002: DEBUG: Packet dump:
*** Received from 145.18.146.82 port 1796 ....
Packet length = 142
01 ce 00 8e c6 de 60 bf 78 3d eb be 32 e2 aa 15
72 af 9b 0d 01 08 72 6f 6e 61 6c 64 1a 13 00 00
00 09 01 0d 73 73 69 64 3d 78 73 32 74 73 74 04
06 91 12 92 52 1e 0e 30 30 34 30 39 36 35 62 34
31 39 39 1f 0e 30 30 30 62 34 36 65 62 64 35 32
34 20 0c 77 63 6c 69 65 6e 74 2d 38 32 05 06 00
00 00 25 0c 06 00 00 05 78 3d 06 00 00 00 13 4f
0d 02 00 00 0b 01 72 6f 6e 61 6c 64 50 12 ee b5
88 cd 93 1e 3b 44 ab 80 9a 18 ec 4c 67 95
Code: Access-Request
Identifier: 206
Authentic: <198><222>`<191>x=<235><190>2<226><170><21>r<175><155><13>
Attributes:
User-Name = "ronald"
cisco-avpair = "ssid=xs2tst"
NAS-IP-Address = 145.18.146.82
Called-Station-Id = "0040965b4199"
Calling-Station-Id = "000b46ebd524"
NAS-Identifier = "wclient-82"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = 19
EAP-Message = <2><0><0><11><1>ronald
Message-Authenticator = <238><181><136><205><147><30>;D<171><128><154><24><236>Lg<149>
Tue Dec 17 15:40:31 2002: DEBUG: Handling request with Handler ''
Tue Dec 17 15:40:31 2002: DEBUG: Deleting session for ronald, 145.18.146.82, 37
Tue Dec 17 15:40:31 2002: DEBUG: Handling with Radius::AuthFILE:
Tue Dec 17 15:40:31 2002: DEBUG: Handling with EAP: code 2, 0, 11
Tue Dec 17 15:40:31 2002: DEBUG: Response type 1
Tue Dec 17 15:40:31 2002: ERR: TLS could not use_PrivateKey_file /usr/share/doc/Radiator-3.5/goodies/cert-srv.pem, 1: 18314: 1 - error:0906D06C:PEM r
outines:PEM_read_bio:no start line
18314: 2 - error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt
18314: 3 - error:0906A065:PEM routines:PEM_do_header:bad decrypt
18314: 4 - error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Tue Dec 17 15:40:31 2002: INFO: Access rejected for ronald: EAP TLS Could not initialise context
Tue Dec 17 15:40:31 2002: DEBUG: Packet dump:
*** Sending to 145.18.146.82 port 1796 ....
Packet length = 36
03 ce 00 24 0e f4 90 fc 1e 80 5a 4c 84 9f c9 ac
9f 0f e5 6d 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 206
Authentic: <198><222>`<191>x=<235><190>2<226><170><21>r<175><155><13>
Attributes:
Reply-Message = "Request Denied"
Capture of mkcertificate.sh dialogue:
-------------------------------------
/usr/share/doc/Radiator-3.5/goodies/mkcertificate.sh
*********************************************************************************
Creating self-signed private key and certificate
When prompted override the default value for the Common Name field
*********************************************************************************
Generating a 1024 bit RSA private key
....................++++++
.......................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [Amsterdam]:
Organization Name (eg, company) [UvA]:
Organizational Unit Name (eg, section) [IC/Datel]:
Common Name (eg, YOUR name) []:RB
Email Address []:r.boontje at uva.nl
*********************************************************************************
Creating a new CA hierarchy (used later by the ca command) with the certificate echo and private key created in the last step
*********************************************************************************
*********************************************************************************
Creating ROOT CA
*********************************************************************************
MAC verified OK
*********************************************************************************
Creating client private key and certificate
When prompted enter the client name in the Common Name field. This is the same
used as the Username in FreeRADIUS
*********************************************************************************
Generating a 1024 bit RSA private key
......++++++
.....++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [Amsterdam]:
Organization Name (eg, company) [UvA]:
Organizational Unit Name (eg, section) [IC/Datel]:
Common Name (eg, YOUR name) []:RB
Email Address []:r.boontje at uva.nl
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [17challenge]:xs2peap
An optional company name []:UvA
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 16 17:01:56 2002 GMT
Not After : Dec 16 17:01:56 2003 GMT
Subject:
countryName = NL
stateOrProvinceName = NH
localityName = Amsterdam
organizationName = UvA
organizationalUnitName = IC/Datel
commonName = RB
emailAddress = r.boontje at uva.nl
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Dec 16 17:01:56 2003 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
MAC verified OK
*********************************************************************************
Creating server private key and certificate
When prompted enter the server name in the Common Name field.
*********************************************************************************
Generating a 1024 bit RSA private key
...........++++++
...................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [Amsterdam]:
Organization Name (eg, company) [UvA]:
Organizational Unit Name (eg, section) [IC/Datel]:
Common Name (eg, YOUR name) []:bombur
Email Address []:r.boontje at uva.nl
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [17challenge]:xs2peap
An optional company name []:UvA
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Dec 16 17:02:21 2002 GMT
Not After : Dec 16 17:02:21 2003 GMT
Subject:
countryName = NL
stateOrProvinceName = NH
localityName = Amsterdam
organizationName = UvA
organizationalUnitName = IC/Datel
commonName = bombur
emailAddress = r.boontje at uva.nl
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Dec 16 17:02:21 2003 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
MAC verified OK
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list