(RADIATOR) Error "TLS could not load_verify_locations" - FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN

Hugh Irvine hugh at open.com.au
Sat Aug 7 01:49:16 CDT 2004


Hello Scott -

The problem is that Radiator cannot find the CA certificates because 
neither EAPTLS_CAFile nor EAPTLS_CAPath are defined.

The example configuration file "goodies/eap_tls.cfg" shows a working 
example.

regards

Hugh


On 7 Aug 2004, at 13:26, Scott Xiao - ANTlabs wrote:

> Thanks Hugh!
> But I still don't understand what relationship between that message 
> and my
> problem of PEAP "EAP TLS Could not  initialise context". Since I have a
> certificate from FreeSSL,do I still need the cert in 
> "demoCA/cacert.pem"  ?
> Do you have a samle configure of using actual certificate instead of
> self-signed certificate?Thanks!
> Rgds
> Scott
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Saturday, August 07, 2004 7:32 AM
> To: scottxiao at antlabs.com
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Error "TLS could not load_verify_locations" -
> FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN
>
>
>
> Hello Scott -
>
> The complete message is this:
>
> TLS.pm:     $parent->log($main::LOG_ERR, "TLS could not
> load_verify_locations $parent->{EAPTLS_CAFile},
> $parent->{EAPTLS_CAPath}: $errs");
>
> See the example configuration file in "goodies/eap_tls.cfg".
>
> Here is the relevant section:
>
>                  # EAPTLS_CAFile is the name of a file of CA 
> certificates
>                  # in PEM format. The file can contain several CA
> certificates
>                  # Radiator will first look in EAPTLS_CAFile then in
>                  # EAPTLS_CAPath, so there usually is no need to set 
> both
>                  EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
>                  # EAPTLS_CAPath is the name of a directory containing 
> CA
>                  # certificates (and possible CRLs) in PEM format. The
> files each contain one
>                  # CA certificate. The files are looked up by the CA
>                  # subject name hash value
> #               EAPTLS_CAPath %D/certificates/demoCA
>
> regards
>
> Hugh
>
>
> On 7 Aug 2004, at 01:22, Scott Xiao - ANTlabs wrote:
>
>> Hi,
>> Thanks for all the help on my timer issue,PEAP,acct stop issue,all
>> those
>> resolved.
>> The current issue is,I got an error of "TLS could not
>> load_verify_locations"
>> with an actually certificate,see the config file and debug below.
>> I purchased a server ceriticate from freessl.com , copy the text part
>> of the
>> cert into a text file and saved in the certificate directory of
>> radiator as
>> a .pem file, together with the private key file (.key file).Then I
>> modified
>> the config file  to point the path to the certificate
>> directory,instead of
>> using the sample certificates.I found the sample pem file has 2
>> parts,public
>> key and private key inside,while my pem file (server cert) has only 
>> one
>> part,which is the server server cert itself.But I don't think it's
>> issue
>> since the comments in the file says it could be the same file for the
>> keys.Then I tested,and got the error as mentioned.Can you advise what
>> 's the
>> problem?FreeSSL's webserver cert should work in this senario,right?How
>> to
>> make a pem file to have 2 parts like the samle one?Thanks!!
>> Rgds
>> Scott
>>
>>
>> config file:
>>
>>   EAPType PEAP,MSCHAP-V2
>>
>>
>>                 EAPTLS_CertificateFile
>> %D/certificates/myhost.antlabs.com.pem
>>
>>                 EAPTLS_CertificateType PEM
>>                 #EAPTLS_CertificateType CRT
>>
>>                 # EAPTLS_PrivateKeyFile is the name of the file
>> containing
>>                 # the servers private key. It is sometimes in the same
>> file
>>                 # as the server certificate (EAPTLS_CertificateFile)
>>                 # If the private key is encrypted (usually the case)
>>                 # then EAPTLS_PrivateKeyPassword is the key to
>> descrypt it
>>                 #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>                 EAPTLS_PrivateKeyFile
>> %D/certificates/myhost.antlabs.com.key
>>                 #EAPTLS_PrivateKeyFile
>> /etc/radiator/certificates/myhost.antlabs.com.key
>> #               EAPTLS_PrivateKeyFile %D/certificates/myhost.pem
>>                 #EAPTLS_PrivateKeyPassword whatever
>>                 EAPTLS_PrivateKeyPassword hiddenpassword
>>
>> Debuging info:
>>
>> [root at AAA Radiator-3.9]# ./radiusd -foreground  -config_file ./tt1.cfg
>> Fri Aug  6 23:04:27 2004: DEBUG: Finished reading configuration file
>> './tt1.cfg'
>> Fri Aug  6 23:04:27 2004: DEBUG: Reading dictionary file
>> '/usr/src/802/radiator/Radiator-3.9/dictionary'
>> Fri Aug  6 23:04:27 2004: DEBUG: Creating authentication port
>> 0.0.0.0:1812
>> Fri Aug  6 23:04:27 2004: DEBUG: Creating accounting port 0.0.0.0:1813
>> Fri Aug  6 23:04:27 2004: NOTICE: Server started: Radiator 3.9 on AAA
>>
>>
>>
>> Fri Aug  6 23:04:50 2004: DEBUG: Packet dump:
>> *** Received from 192.168.123.9 port 1814 ....
>>
>> Packet length = 266
>> 01 2a 01 0a 6b 23 57 6b 5f b8 ea 46 bd 67 35 ac
>> 73 e7 51 2a 01 07 68 65 6c 6c 6f 1a 36 00 00 37
>> 2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
>> 63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
>> 6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
>> 58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
>> 72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
>> 06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
>> 19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
>> 43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
>> 46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
>> 78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
>> 62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
>> 18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
>> 38 30 32 2e 31 31 62 4f 0c 02 01 00 0a 01 68 65
>> 6c 6c 6f 50 12 a3 6c 26 6a 29 c3 cf 09 f1 3a af
>> e2 a7 d9 7a 27 21 05 31 35 35
>> Code:       Access-Request
>> Identifier: 42
>> Authentic:  k#Wk_<184><234>F<189>g5<172>s<231>Q*
>> Attributes:
>>         User-Name = "hello"
>>         WISPr-Location-ID =
>> "isocc=(null),cc=(null),ac=(null),network=GEM1X"
>>         WISPr-Location-Name = "operator,location"
>>         NAS-IP-Address = 10.0.0.1
>>         Service-Type = Framed-User
>>         NAS-Port = 3
>>         NAS-Port-Id = "3"
>>         Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
>>         Calling-Station-Id = "00-0C-F1-08-37-BF"
>>         Framed-MTU = 1400
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
>>         Connect-Info = "CONNECT 11Mbps 802.11b"
>>         EAP-Message = <2><1><0><10><1>hello
>>         Message-Authenticator =
>> <163>l&j)<195><207><9><241>:<175><226><167><217>z'
>>         Proxy-State = 155
>>
>> Fri Aug  6 23:04:50 2004: DEBUG: Handling request with Handler ''
>> Fri Aug  6 23:04:50 2004: DEBUG:  Deleting session for hello,
>> 10.0.0.1, 3
>> Fri Aug  6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL
>> Fri Aug  6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL:
>> Fri Aug  6 23:04:50 2004: DEBUG: Handling with EAP: code 2, 1, 10
>> Fri Aug  6 23:04:50 2004: DEBUG: Response type 1
>> Fri Aug  6 23:04:50 2004: ERR: TLS could not load_verify_locations , :
>> Fri Aug  6 23:04:50 2004: DEBUG: EAP result: 1, EAP TLS Could not
>> initialise
>> context
>> Fri Aug  6 23:04:50 2004: INFO: Access rejected for hello: EAP TLS
>> Could not
>> initialise context
>> Fri Aug  6 23:04:50 2004: DEBUG: Packet dump:
>> *** Sending to 192.168.123.9 port 1814 ....
>>
>> Packet length = 41
>> 03 2a 00 29 de 49 a8 63 73 f4 3d 7e 46 3b f0 77
>> f0 4e 7e 85 12 10 52 65 71 75 65 73 74 20 44 65
>> 6e 69 65 64 21 05 31 35 35
>> Code:       Access-Reject
>> Identifier: 42
>> Authentic:  k#Wk_<184><234>F<189>g5<172>s<231>Q*
>> Attributes:
>>         Reply-Message = "Request Denied"
>>         Proxy-State = 155
>>
>> Fri Aug  6 23:05:05 2004: DEBUG: Packet dump:
>> *** Received from 192.168.123.9 port 1814 ....
>>
>> Packet length = 266
>> 01 2b 01 0a 64 a2 eb e1 33 a6 36 6a ea dd 0b e5
>> be e9 8b 22 01 07 73 63 6f 74 74 1a 36 00 00 37
>> 2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
>> 63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
>> 6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
>> 58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
>> 72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
>> 06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
>> 19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
>> 43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
>> 46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
>> 78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
>> 62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
>> 18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
>> 38 30 32 2e 31 31 62 4f 0c 02 02 00 0a 01 73 63
>> 6f 74 74 50 12 80 4b 89 4b 8f ad 7a c7 a3 d5 a6
>> 5e b0 d6 23 19 21 05 31 35 36
>> Code:       Access-Request
>> Identifier: 43
>> Authentic:  
>> d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
>> Attributes:
>>         User-Name = "scott"
>>         WISPr-Location-ID =
>> "isocc=(null),cc=(null),ac=(null),network=GEM1X"
>>         WISPr-Location-Name = "operator,location"
>>         NAS-IP-Address = 10.0.0.1
>>         Service-Type = Framed-User
>>         NAS-Port = 3
>>         NAS-Port-Id = "3"
>>         Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
>>         Calling-Station-Id = "00-0C-F1-08-37-BF"
>>         Framed-MTU = 1400
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
>>         Connect-Info = "CONNECT 11Mbps 802.11b"
>>         EAP-Message = <2><2><0><10><1>scott
>>         Message-Authenticator =
>> <128>K<137>K<143><173>z<199><163><213><166>^<176><214>#<25>
>>         Proxy-State = 156
>>
>> Fri Aug  6 23:05:05 2004: DEBUG: Handling request with Handler ''
>> Fri Aug  6 23:05:05 2004: DEBUG:  Deleting session for scott,
>> 10.0.0.1, 3
>> Fri Aug  6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL
>> Fri Aug  6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL:
>> Fri Aug  6 23:05:05 2004: DEBUG: Handling with EAP: code 2, 2, 10
>> Fri Aug  6 23:05:05 2004: DEBUG: Response type 1
>> Fri Aug  6 23:05:05 2004: ERR: TLS could not load_verify_locations , :
>> Fri Aug  6 23:05:05 2004: DEBUG: EAP result: 1, EAP TLS Could not
>> initialise
>> context
>> Fri Aug  6 23:05:05 2004: INFO: Access rejected for scott: EAP TLS
>> Could not
>> initialise context
>> Fri Aug  6 23:05:05 2004: DEBUG: Packet dump:
>> *** Sending to 192.168.123.9 port 1814 ....
>>
>> Packet length = 41
>> 03 2b 00 29 43 89 dc ac 25 80 f5 79 2e df dc b9
>> 46 58 5b 41 12 10 52 65 71 75 65 73 74 20 44 65
>> 6e 69 65 64 21 05 31 35 36
>> Code:       Access-Reject
>> Identifier: 43
>> Authentic:  
>> d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
>> Attributes:
>>         Reply-Message = "Request Denied"
>>         Proxy-State = 156
>>
>>
>> [root at AAA Radiator-3.9]#
>>
>> [root at AAA certificates]# ls
>> cert-clt.p12  demoCA                   myhost.antlabs.com.pem  
>> root.pem
>> cert-clt.pem  myhost.antlabs.com.crt  README
>> cert-srv.pem  myhost.antlabs.com.key  root.der
>> [root at AAA certificates]#
>>
>>
>>
>> -----Original Message-----
>> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
>> Behalf Of Bon sy
>> Sent: Tuesday, August 03, 2004 7:10 PM
>> To: Terry Simons
>> Cc: scottxiao at antlabs.com; radiator at open.com.au
>> Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100
>> WLAN
>>
>>
>> Hi Scott and Terry,
>>
>> 	If your main concern is the cost as Terry mentioned, you may want
>> to consider building your own CA using openssl. If a moderate cost
>> investment may fit your budget, you may want to look into CATool as
>> Mike/Hugh has suggested previously.
>>
>> 	We have tried and used both. Building your own CA using openssl is
>> more involved --- and obviously you have to provide your own technical
>> support --- in comparing to using CATool. If you do want to build your
>> own
>> CA using openssl and to avoid the frustration causing your late night
>> sleepless symtom, we find it important to build up the comfort level 
>> on
>> openssl, perl, and Linux, and definitely read up a lot from the 
>> mailing
>> list, before doing it.
>>
>> Bon
>>
>>
>> On Mon, 2 Aug 2004, Terry Simons wrote:
>>
>>> Hi Scott,
>>>
>>> You *can* reuse a server certificate in another location later.
>>>
>>> The domain name has no real significance, except that you need to
>>> verify it on the client to ensure that your clients are secure.  The
>>> domain can be whatever you like, and can exist on multiple servers...
>>> there is no inherent tie to any given server.
>>>
>>> That said, it is probably *not* a good idea to reuse certificates in 
>>> a
>>> production environment, but it does work.
>>>
>>> Is the main reason why you are purchasing certificates to ensure that
>>> the client has a pre-installed CA certificate that will verify your
>>> certificate, or for some other reason?
>>>
>>> If your main concern is the cost, you should probably consider 
>>> rolling
>>> your own certificates.
>>>
>>> - Terry
>>>
>>> On Aug 2, 2004, at 8:59 PM, Scott Xiao - ANTlabs wrote:
>>>
>>>>
>>>> Hi,
>>>> Can any of you recommend one workable Radius(Radiator) server
>>>> certificate
>>>> besides Verisign?I want to buy a cheaper one,use it in  802.1x PEAP
>>>> WLAN
>>>> hotspot.If I use it for domain "hostname.mydomain.com" ,can I use 
>>>> the
>>>> same
>>>> certificate in future if I deploy a same WLAN in another place which
>>>> will
>>>> still use the same domain name?Thanks!
>>>> Rgds
>>>> Scott Xiao
>>>> -----Original Message-----
>>>> From: owner-radiator at open.com.au
>>>> [mailto:owner-radiator at open.com.au]On
>>>> Behalf Of Terry Simons
>>>> Sent: Thursday, July 29, 2004 1:15 PM
>>>> To: Christian Wiedmann
>>>> Cc: radiator at open.com.au
>>>> Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100
>>>> WLAN
>>>>
>>>>
>>>> Hi,
>>>>
>>>> On Jul 28, 2004, at 1:32 PM, Christian Wiedmann wrote:
>>>>
>>>>> As far as I know, the XP server extension OID is the one that is
>>>>> also
>>>>> used for web servers.  Therefore, a web server certificate should
>>>>> work.
>>>>
>>>> This is true.  There is one thing that people should probably be
>>>> aware
>>>> of, however.
>>>>
>>>> At the last Networld + Interop HotStage, we did some extensive
>>>> testing
>>>> with this and it was determined that what should probably happen is
>>>> to
>>>> officially apply for some OIDs for 802.1X authentication servers.
>>>> One
>>>> of the HotStage members that is involved in the IETF and the IEEE is
>>>> pushing that a bit, so it could be the case that a "proper" OID set
>>>> will come out in the future.  It could be a ways out, but I
>>>> personally
>>>> hope that it happens so we can have an "official" way of creating
>>>> "802.1X authentication" certificates.
>>>>
>>>> - Terry
>>>>
>>>>>
>>>>> For what it's worth, I've successfully used a Verisign web server
>>>>> certificate
>>>>> for PEAP authentication against Windows XP SP1.  I think there's a
>>>>> good
>>>>> chance a freessl certificate would work too.
>>>>>
>>>>> 	-Christian
>>>>>
>>>>> ref.:
>>>>> http://support.microsoft.com/?kbid=814394
>>>>> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.1.html
>>>>> http://www.ietf.org/rfc/rfc2459.txt
>>>>>
>>>>> On Wed, 28 Jul 2004, Mike McCauley wrote:
>>>>>
>>>>>> Date: Wed, 28 Jul 2004 19:35:44 +1000
>>>>>> From: Mike McCauley <mikem at open.com.au>
>>>>>> To: scottxiao at antlabs.com
>>>>>> Cc: Radiator <radiator at open.com.au>
>>>>>> Subject: Re: (RADIATOR) SSL certificate for  802.1x
>>>>>> PEAP/aironet1100
>>>>>> WLAN
>>>>>>
>>>>>> Hi Scott,
>>>>>>
>>>>>>
>>>>>> On Wednesday 28 July 2004 18:41, Scott Xiao  - ANTlabs wrote:
>>>>>>> Hi,Mike,
>>>>>>> Thanks, so do you have any suggestion that I can purchase
>>>>>>> regarding
>>>>>>> the
>>>>>>> cert for radius server?Verisign?which type?If you have any
>>>>>>> recommendation
>>>>>>> that it works well on Radiator....Thanks
>>>>>>
>>>>>> Verisign offer certificates for radius servers, but I dont know 
>>>>>> the
>>>>>> details of
>>>>>> how to apply for one. They do work with Radiator. You should try 
>>>>>> to
>>>>>> get it in
>>>>>> PEM format.
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list