(RADIATOR) Error "TLS could not load_verify_locations" - FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN
Scott Xiao - ANTlabs
scottxiao at antlabs.com
Fri Aug 6 22:26:13 CDT 2004
Thanks Hugh!
But I still don't understand what relationship between that message and my
problem of PEAP "EAP TLS Could not initialise context". Since I have a
certificate from FreeSSL,do I still need the cert in "demoCA/cacert.pem" ?
Do you have a samle configure of using actual certificate instead of
self-signed certificate?Thanks!
Rgds
Scott
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Saturday, August 07, 2004 7:32 AM
To: scottxiao at antlabs.com
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Error "TLS could not load_verify_locations" -
FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN
Hello Scott -
The complete message is this:
TLS.pm: $parent->log($main::LOG_ERR, "TLS could not
load_verify_locations $parent->{EAPTLS_CAFile},
$parent->{EAPTLS_CAPath}: $errs");
See the example configuration file in "goodies/eap_tls.cfg".
Here is the relevant section:
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA
certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates (and possible CRLs) in PEM format. The
files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath %D/certificates/demoCA
regards
Hugh
On 7 Aug 2004, at 01:22, Scott Xiao - ANTlabs wrote:
> Hi,
> Thanks for all the help on my timer issue,PEAP,acct stop issue,all
> those
> resolved.
> The current issue is,I got an error of "TLS could not
> load_verify_locations"
> with an actually certificate,see the config file and debug below.
> I purchased a server ceriticate from freessl.com , copy the text part
> of the
> cert into a text file and saved in the certificate directory of
> radiator as
> a .pem file, together with the private key file (.key file).Then I
> modified
> the config file to point the path to the certificate
> directory,instead of
> using the sample certificates.I found the sample pem file has 2
> parts,public
> key and private key inside,while my pem file (server cert) has only one
> part,which is the server server cert itself.But I don't think it's
> issue
> since the comments in the file says it could be the same file for the
> keys.Then I tested,and got the error as mentioned.Can you advise what
> 's the
> problem?FreeSSL's webserver cert should work in this senario,right?How
> to
> make a pem file to have 2 parts like the samle one?Thanks!!
> Rgds
> Scott
>
>
> config file:
>
> EAPType PEAP,MSCHAP-V2
>
>
> EAPTLS_CertificateFile
> %D/certificates/myhost.antlabs.com.pem
>
> EAPTLS_CertificateType PEM
> #EAPTLS_CertificateType CRT
>
> # EAPTLS_PrivateKeyFile is the name of the file
> containing
> # the servers private key. It is sometimes in the same
> file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to
> descrypt it
> #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyFile
> %D/certificates/myhost.antlabs.com.key
> #EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/myhost.antlabs.com.key
> # EAPTLS_PrivateKeyFile %D/certificates/myhost.pem
> #EAPTLS_PrivateKeyPassword whatever
> EAPTLS_PrivateKeyPassword hiddenpassword
>
> Debuging info:
>
> [root at AAA Radiator-3.9]# ./radiusd -foreground -config_file ./tt1.cfg
> Fri Aug 6 23:04:27 2004: DEBUG: Finished reading configuration file
> './tt1.cfg'
> Fri Aug 6 23:04:27 2004: DEBUG: Reading dictionary file
> '/usr/src/802/radiator/Radiator-3.9/dictionary'
> Fri Aug 6 23:04:27 2004: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Fri Aug 6 23:04:27 2004: DEBUG: Creating accounting port 0.0.0.0:1813
> Fri Aug 6 23:04:27 2004: NOTICE: Server started: Radiator 3.9 on AAA
>
>
>
> Fri Aug 6 23:04:50 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
>
> Packet length = 266
> 01 2a 01 0a 6b 23 57 6b 5f b8 ea 46 bd 67 35 ac
> 73 e7 51 2a 01 07 68 65 6c 6c 6f 1a 36 00 00 37
> 2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
> 63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
> 6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
> 58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
> 72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
> 06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
> 19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
> 43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
> 46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
> 78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
> 62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
> 18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
> 38 30 32 2e 31 31 62 4f 0c 02 01 00 0a 01 68 65
> 6c 6c 6f 50 12 a3 6c 26 6a 29 c3 cf 09 f1 3a af
> e2 a7 d9 7a 27 21 05 31 35 35
> Code: Access-Request
> Identifier: 42
> Authentic: k#Wk_<184><234>F<189>g5<172>s<231>Q*
> Attributes:
> User-Name = "hello"
> WISPr-Location-ID =
> "isocc=(null),cc=(null),ac=(null),network=GEM1X"
> WISPr-Location-Name = "operator,location"
> NAS-IP-Address = 10.0.0.1
> Service-Type = Framed-User
> NAS-Port = 3
> NAS-Port-Id = "3"
> Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
> Calling-Station-Id = "00-0C-F1-08-37-BF"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message = <2><1><0><10><1>hello
> Message-Authenticator =
> <163>l&j)<195><207><9><241>:<175><226><167><217>z'
> Proxy-State = 155
>
> Fri Aug 6 23:04:50 2004: DEBUG: Handling request with Handler ''
> Fri Aug 6 23:04:50 2004: DEBUG: Deleting session for hello,
> 10.0.0.1, 3
> Fri Aug 6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL
> Fri Aug 6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL:
> Fri Aug 6 23:04:50 2004: DEBUG: Handling with EAP: code 2, 1, 10
> Fri Aug 6 23:04:50 2004: DEBUG: Response type 1
> Fri Aug 6 23:04:50 2004: ERR: TLS could not load_verify_locations , :
> Fri Aug 6 23:04:50 2004: DEBUG: EAP result: 1, EAP TLS Could not
> initialise
> context
> Fri Aug 6 23:04:50 2004: INFO: Access rejected for hello: EAP TLS
> Could not
> initialise context
> Fri Aug 6 23:04:50 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
>
> Packet length = 41
> 03 2a 00 29 de 49 a8 63 73 f4 3d 7e 46 3b f0 77
> f0 4e 7e 85 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64 21 05 31 35 35
> Code: Access-Reject
> Identifier: 42
> Authentic: k#Wk_<184><234>F<189>g5<172>s<231>Q*
> Attributes:
> Reply-Message = "Request Denied"
> Proxy-State = 155
>
> Fri Aug 6 23:05:05 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
>
> Packet length = 266
> 01 2b 01 0a 64 a2 eb e1 33 a6 36 6a ea dd 0b e5
> be e9 8b 22 01 07 73 63 6f 74 74 1a 36 00 00 37
> 2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
> 63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
> 6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
> 58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
> 72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
> 06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
> 19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
> 43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
> 46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
> 78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
> 62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
> 18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
> 38 30 32 2e 31 31 62 4f 0c 02 02 00 0a 01 73 63
> 6f 74 74 50 12 80 4b 89 4b 8f ad 7a c7 a3 d5 a6
> 5e b0 d6 23 19 21 05 31 35 36
> Code: Access-Request
> Identifier: 43
> Authentic: d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
> Attributes:
> User-Name = "scott"
> WISPr-Location-ID =
> "isocc=(null),cc=(null),ac=(null),network=GEM1X"
> WISPr-Location-Name = "operator,location"
> NAS-IP-Address = 10.0.0.1
> Service-Type = Framed-User
> NAS-Port = 3
> NAS-Port-Id = "3"
> Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
> Calling-Station-Id = "00-0C-F1-08-37-BF"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message = <2><2><0><10><1>scott
> Message-Authenticator =
> <128>K<137>K<143><173>z<199><163><213><166>^<176><214>#<25>
> Proxy-State = 156
>
> Fri Aug 6 23:05:05 2004: DEBUG: Handling request with Handler ''
> Fri Aug 6 23:05:05 2004: DEBUG: Deleting session for scott,
> 10.0.0.1, 3
> Fri Aug 6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL
> Fri Aug 6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL:
> Fri Aug 6 23:05:05 2004: DEBUG: Handling with EAP: code 2, 2, 10
> Fri Aug 6 23:05:05 2004: DEBUG: Response type 1
> Fri Aug 6 23:05:05 2004: ERR: TLS could not load_verify_locations , :
> Fri Aug 6 23:05:05 2004: DEBUG: EAP result: 1, EAP TLS Could not
> initialise
> context
> Fri Aug 6 23:05:05 2004: INFO: Access rejected for scott: EAP TLS
> Could not
> initialise context
> Fri Aug 6 23:05:05 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
>
> Packet length = 41
> 03 2b 00 29 43 89 dc ac 25 80 f5 79 2e df dc b9
> 46 58 5b 41 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64 21 05 31 35 36
> Code: Access-Reject
> Identifier: 43
> Authentic: d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
> Attributes:
> Reply-Message = "Request Denied"
> Proxy-State = 156
>
>
> [root at AAA Radiator-3.9]#
>
> [root at AAA certificates]# ls
> cert-clt.p12 demoCA myhost.antlabs.com.pem root.pem
> cert-clt.pem myhost.antlabs.com.crt README
> cert-srv.pem myhost.antlabs.com.key root.der
> [root at AAA certificates]#
>
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of Bon sy
> Sent: Tuesday, August 03, 2004 7:10 PM
> To: Terry Simons
> Cc: scottxiao at antlabs.com; radiator at open.com.au
> Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100
> WLAN
>
>
> Hi Scott and Terry,
>
> If your main concern is the cost as Terry mentioned, you may want
> to consider building your own CA using openssl. If a moderate cost
> investment may fit your budget, you may want to look into CATool as
> Mike/Hugh has suggested previously.
>
> We have tried and used both. Building your own CA using openssl is
> more involved --- and obviously you have to provide your own technical
> support --- in comparing to using CATool. If you do want to build your
> own
> CA using openssl and to avoid the frustration causing your late night
> sleepless symtom, we find it important to build up the comfort level on
> openssl, perl, and Linux, and definitely read up a lot from the mailing
> list, before doing it.
>
> Bon
>
>
> On Mon, 2 Aug 2004, Terry Simons wrote:
>
>> Hi Scott,
>>
>> You *can* reuse a server certificate in another location later.
>>
>> The domain name has no real significance, except that you need to
>> verify it on the client to ensure that your clients are secure. The
>> domain can be whatever you like, and can exist on multiple servers...
>> there is no inherent tie to any given server.
>>
>> That said, it is probably *not* a good idea to reuse certificates in a
>> production environment, but it does work.
>>
>> Is the main reason why you are purchasing certificates to ensure that
>> the client has a pre-installed CA certificate that will verify your
>> certificate, or for some other reason?
>>
>> If your main concern is the cost, you should probably consider rolling
>> your own certificates.
>>
>> - Terry
>>
>> On Aug 2, 2004, at 8:59 PM, Scott Xiao - ANTlabs wrote:
>>
>>>
>>> Hi,
>>> Can any of you recommend one workable Radius(Radiator) server
>>> certificate
>>> besides Verisign?I want to buy a cheaper one,use it in 802.1x PEAP
>>> WLAN
>>> hotspot.If I use it for domain "hostname.mydomain.com" ,can I use the
>>> same
>>> certificate in future if I deploy a same WLAN in another place which
>>> will
>>> still use the same domain name?Thanks!
>>> Rgds
>>> Scott Xiao
>>> -----Original Message-----
>>> From: owner-radiator at open.com.au
>>> [mailto:owner-radiator at open.com.au]On
>>> Behalf Of Terry Simons
>>> Sent: Thursday, July 29, 2004 1:15 PM
>>> To: Christian Wiedmann
>>> Cc: radiator at open.com.au
>>> Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100
>>> WLAN
>>>
>>>
>>> Hi,
>>>
>>> On Jul 28, 2004, at 1:32 PM, Christian Wiedmann wrote:
>>>
>>>> As far as I know, the XP server extension OID is the one that is
>>>> also
>>>> used for web servers. Therefore, a web server certificate should
>>>> work.
>>>
>>> This is true. There is one thing that people should probably be
>>> aware
>>> of, however.
>>>
>>> At the last Networld + Interop HotStage, we did some extensive
>>> testing
>>> with this and it was determined that what should probably happen is
>>> to
>>> officially apply for some OIDs for 802.1X authentication servers.
>>> One
>>> of the HotStage members that is involved in the IETF and the IEEE is
>>> pushing that a bit, so it could be the case that a "proper" OID set
>>> will come out in the future. It could be a ways out, but I
>>> personally
>>> hope that it happens so we can have an "official" way of creating
>>> "802.1X authentication" certificates.
>>>
>>> - Terry
>>>
>>>>
>>>> For what it's worth, I've successfully used a Verisign web server
>>>> certificate
>>>> for PEAP authentication against Windows XP SP1. I think there's a
>>>> good
>>>> chance a freessl certificate would work too.
>>>>
>>>> -Christian
>>>>
>>>> ref.:
>>>> http://support.microsoft.com/?kbid=814394
>>>> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.1.html
>>>> http://www.ietf.org/rfc/rfc2459.txt
>>>>
>>>> On Wed, 28 Jul 2004, Mike McCauley wrote:
>>>>
>>>>> Date: Wed, 28 Jul 2004 19:35:44 +1000
>>>>> From: Mike McCauley <mikem at open.com.au>
>>>>> To: scottxiao at antlabs.com
>>>>> Cc: Radiator <radiator at open.com.au>
>>>>> Subject: Re: (RADIATOR) SSL certificate for 802.1x
>>>>> PEAP/aironet1100
>>>>> WLAN
>>>>>
>>>>> Hi Scott,
>>>>>
>>>>>
>>>>> On Wednesday 28 July 2004 18:41, Scott Xiao - ANTlabs wrote:
>>>>>> Hi,Mike,
>>>>>> Thanks, so do you have any suggestion that I can purchase
>>>>>> regarding
>>>>>> the
>>>>>> cert for radius server?Verisign?which type?If you have any
>>>>>> recommendation
>>>>>> that it works well on Radiator....Thanks
>>>>>
>>>>> Verisign offer certificates for radius servers, but I dont know the
>>>>> details of
>>>>> how to apply for one. They do work with Radiator. You should try to
>>>>> get it in
>>>>> PEM format.
>>>>>
>>>>> Cheers.
>>>>>
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list