(RADIATOR) TLS could not use_PrivateKey_file
Francisco Contreiras
fc at b52.ist.utl.pt
Fri Jun 27 10:55:42 CDT 2003
I generated the certificates with mkcertificates.sh and everything went OK. But now when I make a PEAP request I get this error, TLS could not use_PrivateKey_file.
Another question is: The challenge password that is asked in the MKCERTIFICATE should be the same as the one configured in eap_peap.cfg in EAPTLS_PrivateKeyPassword ?
############ Log File ##################################
[root at cuco Radiator-Demo-3.6]# perl radiusd -foreground -log_stdout -trace 4 -config_file /etc/radius/radius.cfg
Fri Jun 27 17:30:08 2003: DEBUG: Reading users file /etc/radius/users
Fri Jun 27 17:30:08 2003: DEBUG: Reading users file /etc/radius/users
Fri Jun 27 17:30:08 2003: DEBUG: Reading users file /etc/radius/users
Fri Jun 27 17:30:08 2003: DEBUG: Finished reading configuration file '/etc/radius/radius.cfg'
This Radiator license will expire on 2003-10-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact admin at open.com.au
Fri Jun 27 17:30:08 2003: DEBUG: Reading dictionary file '/etc/radius/dictionary'
Fri Jun 27 17:30:09 2003: DEBUG: Reading dictionary file '/etc/radius/dictionary.ascend'
Fri Jun 27 17:30:10 2003: DEBUG: Creating authentication port 0.0.0.0:1812
Fri Jun 27 17:30:10 2003: DEBUG: Creating accounting port 0.0.0.0:1813
Fri Jun 27 17:30:10 2003: NOTICE: Server started: Radiator 3.6 on cuco.lx.it.pt (EVALUATION)
Fri Jun 27 17:31:29 2003: DEBUG: Packet dump:
*** Received from 192.168.0.253 port 1645 ....
Code: Access-Request
Identifier: 56
Authentic: k<154><6>xR"<254><216><224><255>t'<198><210>QN
Attributes:
User-Name = "test1 at pt"
Framed-MTU = 1400
Called-Station-Id = "0002.8a21.9173"
Calling-Station-Id = "000b.fd60.56c9"
Message-Authenticator = <200><162>S<29><151><<210><237><194><181><29>,<161>?<231>#
EAP-Message = <2><2><0><13><1>test1 at pt
NAS-Port-Type = Virtual
NAS-Port = 448
NAS-IP-Address = 192.168.0.253
NAS-Identifier = "ap"
Fri Jun 27 17:31:29 2003: DEBUG: Handling request with Handler 'Realm = pt'
Fri Jun 27 17:31:29 2003: DEBUG: Deleting session for test1 at pt, 192.168.0.253, 448
Fri Jun 27 17:31:29 2003: DEBUG: Handling with Radius::AuthFILE:
Fri Jun 27 17:31:29 2003: DEBUG: Handling with EAP: code 2, 2, 13
Fri Jun 27 17:31:29 2003: DEBUG: Response type 1
Fri Jun 27 17:31:30 2003: ERR: TLS could not use_PrivateKey_file /etc/radius/demoCA/cert-srv.pem, 1: 840: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start line
840: 2 - error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt
840: 3 - error:0906A065:PEM routines:PEM_do_header:bad decrypt
840: 4 - error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Fri Jun 27 17:31:30 2003: INFO: Access rejected for test1 at pt: EAP TLS Could not initialise context
Fri Jun 27 17:31:30 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.253 port 1645 ....
Code: Access-Reject
Identifier: 56
Authentic: k<154><6>xR"<254><216><224><255>t'<198><210>QN
Attributes:
Reply-Message = "Request Denied"
Fri Jun 27 17:31:36 2003: DEBUG: Packet dump:
*** Received from 192.168.0.253 port 1645 ....
Code: Access-Request
Identifier: 57
Authentic: <179><168><222><253><247><232><217><252><171><177><184><202><29>(<217><12>
Attributes:
User-Name = "test1 at pt"
Framed-MTU = 1400
Called-Station-Id = "0002.8a21.9173"
Calling-Station-Id = "000b.fd60.56c9"
Message-Authenticator = <172><242>@<213><18><149><135><237><174><172><213>4<206><145><234><171>
EAP-Message = <2><1><0><13><1>test1 at pt
NAS-Port-Type = Virtual
NAS-Port = 449
NAS-IP-Address = 192.168.0.253
NAS-Identifier = "ap"
Fri Jun 27 17:31:36 2003: DEBUG: Handling request with Handler 'Realm = pt'
Fri Jun 27 17:31:36 2003: DEBUG: Deleting session for test1 at pt, 192.168.0.253, 449
Fri Jun 27 17:31:36 2003: DEBUG: Handling with Radius::AuthFILE:
Fri Jun 27 17:31:36 2003: DEBUG: Handling with EAP: code 2, 1, 13
Fri Jun 27 17:31:36 2003: DEBUG: Response type 1
Fri Jun 27 17:31:36 2003: DEBUG: Access challenged for test1 at pt: EAP PEAP Challenge
Fri Jun 27 17:31:36 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.253 port 1645 ....
Code: Access-Challenge
Identifier: 57
Authentic: <179><168><222><253><247><232><217><252><171><177><184><202><29>(<217><12>
Attributes:
EAP-Message = <1><2><0><6><25>!
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Fri Jun 27 17:31:36 2003: DEBUG: Packet dump:
*** Received from 192.168.0.253 port 1645 ....
Code: Access-Request
Identifier: 58
Authentic: FH<241> <223>Q<185><197><5><29><232><206><226>I$<150>
Attributes:
User-Name = "test1 at pt"
Framed-MTU = 1400
Called-Station-Id = "0002.8a21.9173"
Calling-Station-Id = "000b.fd60.56c9"
Message-Authenticator = N^<239><17>m<6>u<243><29>><188><154>S<163>P<148>
EAP-Message = <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>><252>cg<166><11><201><241><198>gv["<155><136>|<248><155><7><185><27><211>dr<206>@s<225>\(<224>Q<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
NAS-Port-Type = Virtual
NAS-Port = 449
NAS-IP-Address = 192.168.0.253
NAS-Identifier = "ap"
Fri Jun 27 17:31:36 2003: DEBUG: Handling request with Handler 'Realm = pt'
Fri Jun 27 17:31:36 2003: DEBUG: Deleting session for test1 at pt, 192.168.0.253, 449
Fri Jun 27 17:31:36 2003: DEBUG: Handling with Radius::AuthFILE:
Fri Jun 27 17:31:36 2003: DEBUG: Handling with EAP: code 2, 2, 80
Fri Jun 27 17:31:36 2003: DEBUG: Response type 25
Fri Jun 27 17:31:36 2003: DEBUG: EAP TLS SSL_accept result: -1, 1, 8466
Fri Jun 27 17:31:36 2003: ERR: EAP TLS error: -1, 1, 8466, 840: 1 - error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Fri Jun 27 17:31:36 2003: INFO: Access rejected for test1 at pt: EAP PEAP TLS error
Fri Jun 27 17:31:36 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.253 port 1645 ....
Code: Access-Reject
Identifier: 58
Authentic: FH<241> <223>Q<185><197><5><29><232><206><226>I$<150>
Attributes:
EAP-Message = <4><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
##########################
########### CFG FILE ########################
AuthPort 1812
AcctPort 1813
LogDir /var/log/radius
DbDir /etc/radius
DictionaryFile %D/dictionary,%D/dictionary.ascend
PidFile /var/run/radiusd.pid
Trace 4
<Client 192.168.254>
Secret xpto
</Client>
#Pedidos "internos", vindos de um tu'nel PEAP
<Handler TunnelledByPEAP=1>
<AuthBy FILE>
Filename /etc/radius/users
EAPType MSCHAP-V2
</AuthBy>
</Handler>
#Pedidos internos enviados por tu'nel TTLS
<Handler TunnelledByTTLS=1>
<AuthBy FILE>
Filename /etc/radius/users
EAPType PAP
# TLS requere a config abaixo
EAPTLS_CAFile /etc/radius/demoCA/cacert.pem
EAPTLS_CertificateFile /etc/radius/demoCA/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radius/demoCA/cert-srv.pem
EAPTLS_PrivateKeyPassword xpto
</AuthBy>
</Handler>
<Handler Realm = pt>
<AuthBy FILE>
Filename /etc/radius/users
#Para ja' permite PEAP, TTLS
# adicionar outras variantes de EAP aqui
EAPType PEAP, TTLS
#Caso se use TLS:
#certificados sao gerados atrave's do script radiator
#mkcertificate.sh, em goodies/
EAPTLS_CAFile /etc/radius/demoCA/cacert.pem
EAPTLS_CertificateFile /etc/radius/demoCA/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radius/demoCA/cert-srv.pem
EAPTLS_PrivateKeyPassword xpto
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</Handler>
######################
Please help,
Thank you in advance.
Francisco Contreiras
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list