(RADIATOR) Error "TLS could not load_verify_locations" - FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN

Scott Xiao - ANTlabs scottxiao at antlabs.com
Fri Aug 6 10:22:33 CDT 2004


Hi,
Thanks for all the help on my timer issue,PEAP,acct stop issue,all those
resolved.
The current issue is,I got an error of "TLS could not load_verify_locations"
with an actually certificate,see the config file and debug below.
I purchased a server ceriticate from freessl.com , copy the text part of the
cert into a text file and saved in the certificate directory of radiator as
a .pem file, together with the private key file (.key file).Then I modified
the config file  to point the path to the certificate directory,instead of
using the sample certificates.I found the sample pem file has 2 parts,public
key and private key inside,while my pem file (server cert) has only one
part,which is the server server cert itself.But I don't think it's issue
since the comments in the file says it could be the same file for the
keys.Then I tested,and got the error as mentioned.Can you advise what 's the
problem?FreeSSL's webserver cert should work in this senario,right?How to
make a pem file to have 2 parts like the samle one?Thanks!!
Rgds
Scott


config file:

  EAPType PEAP,MSCHAP-V2


                EAPTLS_CertificateFile
%D/certificates/myhost.antlabs.com.pem

                EAPTLS_CertificateType PEM
                #EAPTLS_CertificateType CRT

                # EAPTLS_PrivateKeyFile is the name of the file containing
                # the servers private key. It is sometimes in the same file
                # as the server certificate (EAPTLS_CertificateFile)
                # If the private key is encrypted (usually the case)
                # then EAPTLS_PrivateKeyPassword is the key to descrypt it
                #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                EAPTLS_PrivateKeyFile %D/certificates/myhost.antlabs.com.key
                #EAPTLS_PrivateKeyFile
/etc/radiator/certificates/myhost.antlabs.com.key
#               EAPTLS_PrivateKeyFile %D/certificates/myhost.pem
                #EAPTLS_PrivateKeyPassword whatever
                EAPTLS_PrivateKeyPassword hiddenpassword

Debuging info:

[root at AAA Radiator-3.9]# ./radiusd -foreground  -config_file ./tt1.cfg
Fri Aug  6 23:04:27 2004: DEBUG: Finished reading configuration file
'./tt1.cfg'
Fri Aug  6 23:04:27 2004: DEBUG: Reading dictionary file
'/usr/src/802/radiator/Radiator-3.9/dictionary'
Fri Aug  6 23:04:27 2004: DEBUG: Creating authentication port 0.0.0.0:1812
Fri Aug  6 23:04:27 2004: DEBUG: Creating accounting port 0.0.0.0:1813
Fri Aug  6 23:04:27 2004: NOTICE: Server started: Radiator 3.9 on AAA



Fri Aug  6 23:04:50 2004: DEBUG: Packet dump:
*** Received from 192.168.123.9 port 1814 ....

Packet length = 266
01 2a 01 0a 6b 23 57 6b 5f b8 ea 46 bd 67 35 ac
73 e7 51 2a 01 07 68 65 6c 6c 6f 1a 36 00 00 37
2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
38 30 32 2e 31 31 62 4f 0c 02 01 00 0a 01 68 65
6c 6c 6f 50 12 a3 6c 26 6a 29 c3 cf 09 f1 3a af
e2 a7 d9 7a 27 21 05 31 35 35
Code:       Access-Request
Identifier: 42
Authentic:  k#Wk_<184><234>F<189>g5<172>s<231>Q*
Attributes:
        User-Name = "hello"
        WISPr-Location-ID = "isocc=(null),cc=(null),ac=(null),network=GEM1X"
        WISPr-Location-Name = "operator,location"
        NAS-IP-Address = 10.0.0.1
        Service-Type = Framed-User
        NAS-Port = 3
        NAS-Port-Id = "3"
        Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
        Calling-Station-Id = "00-0C-F1-08-37-BF"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = <2><1><0><10><1>hello
        Message-Authenticator =
<163>l&j)<195><207><9><241>:<175><226><167><217>z'
        Proxy-State = 155

Fri Aug  6 23:04:50 2004: DEBUG: Handling request with Handler ''
Fri Aug  6 23:04:50 2004: DEBUG:  Deleting session for hello, 10.0.0.1, 3
Fri Aug  6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL
Fri Aug  6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL:
Fri Aug  6 23:04:50 2004: DEBUG: Handling with EAP: code 2, 1, 10
Fri Aug  6 23:04:50 2004: DEBUG: Response type 1
Fri Aug  6 23:04:50 2004: ERR: TLS could not load_verify_locations , :
Fri Aug  6 23:04:50 2004: DEBUG: EAP result: 1, EAP TLS Could not initialise
context
Fri Aug  6 23:04:50 2004: INFO: Access rejected for hello: EAP TLS Could not
initialise context
Fri Aug  6 23:04:50 2004: DEBUG: Packet dump:
*** Sending to 192.168.123.9 port 1814 ....

Packet length = 41
03 2a 00 29 de 49 a8 63 73 f4 3d 7e 46 3b f0 77
f0 4e 7e 85 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64 21 05 31 35 35
Code:       Access-Reject
Identifier: 42
Authentic:  k#Wk_<184><234>F<189>g5<172>s<231>Q*
Attributes:
        Reply-Message = "Request Denied"
        Proxy-State = 155

Fri Aug  6 23:05:05 2004: DEBUG: Packet dump:
*** Received from 192.168.123.9 port 1814 ....

Packet length = 266
01 2b 01 0a 64 a2 eb e1 33 a6 36 6a ea dd 0b e5
be e9 8b 22 01 07 73 63 6f 74 74 1a 36 00 00 37
2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
38 30 32 2e 31 31 62 4f 0c 02 02 00 0a 01 73 63
6f 74 74 50 12 80 4b 89 4b 8f ad 7a c7 a3 d5 a6
5e b0 d6 23 19 21 05 31 35 36
Code:       Access-Request
Identifier: 43
Authentic:  d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
Attributes:
        User-Name = "scott"
        WISPr-Location-ID = "isocc=(null),cc=(null),ac=(null),network=GEM1X"
        WISPr-Location-Name = "operator,location"
        NAS-IP-Address = 10.0.0.1
        Service-Type = Framed-User
        NAS-Port = 3
        NAS-Port-Id = "3"
        Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
        Calling-Station-Id = "00-0C-F1-08-37-BF"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = <2><2><0><10><1>scott
        Message-Authenticator =
<128>K<137>K<143><173>z<199><163><213><166>^<176><214>#<25>
        Proxy-State = 156

Fri Aug  6 23:05:05 2004: DEBUG: Handling request with Handler ''
Fri Aug  6 23:05:05 2004: DEBUG:  Deleting session for scott, 10.0.0.1, 3
Fri Aug  6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL
Fri Aug  6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL:
Fri Aug  6 23:05:05 2004: DEBUG: Handling with EAP: code 2, 2, 10
Fri Aug  6 23:05:05 2004: DEBUG: Response type 1
Fri Aug  6 23:05:05 2004: ERR: TLS could not load_verify_locations , :
Fri Aug  6 23:05:05 2004: DEBUG: EAP result: 1, EAP TLS Could not initialise
context
Fri Aug  6 23:05:05 2004: INFO: Access rejected for scott: EAP TLS Could not
initialise context
Fri Aug  6 23:05:05 2004: DEBUG: Packet dump:
*** Sending to 192.168.123.9 port 1814 ....

Packet length = 41
03 2b 00 29 43 89 dc ac 25 80 f5 79 2e df dc b9
46 58 5b 41 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64 21 05 31 35 36
Code:       Access-Reject
Identifier: 43
Authentic:  d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
Attributes:
        Reply-Message = "Request Denied"
        Proxy-State = 156


[root at AAA Radiator-3.9]#

[root at AAA certificates]# ls
cert-clt.p12  demoCA                   myhost.antlabs.com.pem  root.pem
cert-clt.pem  myhost.antlabs.com.crt  README
cert-srv.pem  myhost.antlabs.com.key  root.der
[root at AAA certificates]#



-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of Bon sy
Sent: Tuesday, August 03, 2004 7:10 PM
To: Terry Simons
Cc: scottxiao at antlabs.com; radiator at open.com.au
Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100 WLAN


Hi Scott and Terry,

	If your main concern is the cost as Terry mentioned, you may want
to consider building your own CA using openssl. If a moderate cost
investment may fit your budget, you may want to look into CATool as
Mike/Hugh has suggested previously.

	We have tried and used both. Building your own CA using openssl is
more involved --- and obviously you have to provide your own technical
support --- in comparing to using CATool. If you do want to build your own
CA using openssl and to avoid the frustration causing your late night
sleepless symtom, we find it important to build up the comfort level on
openssl, perl, and Linux, and definitely read up a lot from the mailing
list, before doing it.

Bon


On Mon, 2 Aug 2004, Terry Simons wrote:

> Hi Scott,
>
> You *can* reuse a server certificate in another location later.
>
> The domain name has no real significance, except that you need to
> verify it on the client to ensure that your clients are secure.  The
> domain can be whatever you like, and can exist on multiple servers...
> there is no inherent tie to any given server.
>
> That said, it is probably *not* a good idea to reuse certificates in a
> production environment, but it does work.
>
> Is the main reason why you are purchasing certificates to ensure that
> the client has a pre-installed CA certificate that will verify your
> certificate, or for some other reason?
>
> If your main concern is the cost, you should probably consider rolling
> your own certificates.
>
> - Terry
>
> On Aug 2, 2004, at 8:59 PM, Scott Xiao - ANTlabs wrote:
>
> >
> > Hi,
> > Can any of you recommend one workable Radius(Radiator) server
> > certificate
> > besides Verisign?I want to buy a cheaper one,use it in  802.1x PEAP
> > WLAN
> > hotspot.If I use it for domain "hostname.mydomain.com" ,can I use the
> > same
> > certificate in future if I deploy a same WLAN in another place which
> > will
> > still use the same domain name?Thanks!
> > Rgds
> > Scott Xiao
> > -----Original Message-----
> > From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> > Behalf Of Terry Simons
> > Sent: Thursday, July 29, 2004 1:15 PM
> > To: Christian Wiedmann
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100
> > WLAN
> >
> >
> > Hi,
> >
> > On Jul 28, 2004, at 1:32 PM, Christian Wiedmann wrote:
> >
> >> As far as I know, the XP server extension OID is the one that is also
> >> used for web servers.  Therefore, a web server certificate should
> >> work.
> >
> > This is true.  There is one thing that people should probably be aware
> > of, however.
> >
> > At the last Networld + Interop HotStage, we did some extensive testing
> > with this and it was determined that what should probably happen is to
> > officially apply for some OIDs for 802.1X authentication servers.  One
> > of the HotStage members that is involved in the IETF and the IEEE is
> > pushing that a bit, so it could be the case that a "proper" OID set
> > will come out in the future.  It could be a ways out, but I personally
> > hope that it happens so we can have an "official" way of creating
> > "802.1X authentication" certificates.
> >
> > - Terry
> >
> >>
> >> For what it's worth, I've successfully used a Verisign web server
> >> certificate
> >> for PEAP authentication against Windows XP SP1.  I think there's a
> >> good
> >> chance a freessl certificate would work too.
> >>
> >> 	-Christian
> >>
> >> ref.:
> >> http://support.microsoft.com/?kbid=814394
> >> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.1.html
> >> http://www.ietf.org/rfc/rfc2459.txt
> >>
> >> On Wed, 28 Jul 2004, Mike McCauley wrote:
> >>
> >>> Date: Wed, 28 Jul 2004 19:35:44 +1000
> >>> From: Mike McCauley <mikem at open.com.au>
> >>> To: scottxiao at antlabs.com
> >>> Cc: Radiator <radiator at open.com.au>
> >>> Subject: Re: (RADIATOR) SSL certificate for  802.1x PEAP/aironet1100
> >>> WLAN
> >>>
> >>> Hi Scott,
> >>>
> >>>
> >>> On Wednesday 28 July 2004 18:41, Scott Xiao  - ANTlabs wrote:
> >>>> Hi,Mike,
> >>>> Thanks, so do you have any suggestion that I can purchase regarding
> >>>> the
> >>>> cert for radius server?Verisign?which type?If you have any
> >>>> recommendation
> >>>> that it works well on Radiator....Thanks
> >>>
> >>> Verisign offer certificates for radius servers, but I dont know the
> >>> details of
> >>> how to apply for one. They do work with Radiator. You should try to
> >>> get it in
> >>> PEM format.
> >>>
> >>> Cheers.
> >>>
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list