(RADIATOR) Error "TLS could not load_verify_locations" - FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN

Scott Xiao - ANTlabs scottxiao at antlabs.com
Mon Aug 9 06:29:03 CDT 2004


Hi,Mike,
Thanks!I think the 2nd point you mentioned is a bit possible. The
certificate is issued to myhost.antlabs.com domain, but the host name of the
radius server is "aaa" without domain name.So I added some lines in the
hosts file of the server

[root at AAA root]# more /etc/hosts
127.0.0.1               localhost
192.168.123.18          myhost.antlabs.com

and did 2 commands, HOSTNAME=myhost , DOMAINNAME=antlabs.com

but I still get the same error.
For the other points, 1. The server certificate is not prviate one,I
purchased from FreeSSL ; 3.  the date on the server and client are the same
2.My client is configured to "validate server certificate" without choosing
"connect to these servers....".What do you mean it's configured to limit the
server certificate to certain names?How can I check what is the name in the
server certiificate?
Please advise.Now I am using the purchased the Radiator software instead of
the trail software(That one expired), can I have some other types prompt
support?Because I need deploy it with 2  days.Thanks!
Rgds
Scott

-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au]
Sent: Monday, August 09, 2004 6:34 PM
To: scottxiao at antlabs.com
Cc: Radiator
Subject: Re: (RADIATOR) Error "TLS could not load_verify_locations" -
FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN


Hello Scott,

Its hard to be sure since you did not include the whole trace file, but
this:
tlsv1 alert access denied
indicates that the client didnt like the server certificate. Usually this is
because

1. you are using a private server certificate but the client does not have
the
corresponding root certificate.
2. The client is configured to limit the server certificate to certain
names,
but the name in the server certificate does not match
3. The clock on the client is outside the valid date range of the server
certificate.

Cheers.



On Monday 09 August 2004 14:44, Scott Xiao  - ANTlabs wrote:
> Hi,Hugh,
> Thanks ! I did some update on my config file according to your and
> Christian's advice,I downloaded the root CA from FreeSSL and saved in the
> certificate directory  as pem format ,and tested again,then I encountered
> another error " EAP PEAP TLS read failed:  2144: 1 - error:14094419:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert access denied" , what could be the
> cause here?Pleaase advise,Thanks a lot!!! Here below is my updated config
> file(part) and the error log:
>
> Config file:
>
> EAPType PEAP,MSCHAP-V2
>
>                 EAPTLS_CAFile %D/certificates/UTN.pem
>
>                 EAPTLS_CertificateFile
> %D/certificates/myhost.antlabs.com.pem
>
>                 EAPTLS_CertificateType PEM
>
>                 EAPTLS_PrivateKeyFile
> %D/certificates/myhost.antlabs.com.key
>
>                 EAPTLS_PrivateKeyPassword [password(hidden)]
>
> Error Log:
> Code:       Access-Request
> Identifier: 52
> Authentic:  <29>rW<223><165><165>,<151><164><138>B_@<194>=<232>
> Attributes:
>         User-Name = "hello"
>         WISPr-Location-ID =
> "isocc=(null),cc=(null),ac=(null),network=GEM1X" WISPr-Location-Name =
> "operator,location"
>         NAS-IP-Address = 10.0.0.1
>         Service-Type = Framed-User
>         NAS-Port = 3
>         NAS-Port-Id = "3"
>         Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
>         Calling-Station-Id = "00-0C-F1-08-37-BF"
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>         EAP-Message =
>
<2><10><0>!<25><128><0><0><0><23><21><3><1><0><18>'<245><137><179><200>3<16
>7
>
> >nL<133><196>y<243><146>*[m<140>
>
>         Message-Authenticator =
> kW<200><133><164><209>,'<166><19><209><223><197>3h<243>
>         Proxy-State = 165
>
> Mon Aug  9 12:19:41 2004: DEBUG: Handling request with Handler ''
> Mon Aug  9 12:19:41 2004: DEBUG:  Deleting session for hello, 10.0.0.1, 3
> Mon Aug  9 12:19:41 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Aug  9 12:19:41 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Aug  9 12:19:41 2004: DEBUG: Handling with EAP: code 2, 10, 33
> Mon Aug  9 12:19:41 2004: DEBUG: Response type 25
> Mon Aug  9 12:19:41 2004: ERR: EAP PEAP TLS read failed:  2144: 1 -
> error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
>
> Mon Aug  9 12:19:41 2004: DEBUG: EAP result: 1, EAP PEAP TLS read failed
> Mon Aug  9 12:19:41 2004: INFO: Access rejected for hello: EAP PEAP TLS
> read failed
> Mon Aug  9 12:19:41 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
>
> Packet length = 41
> 03 34 00 29 d8 e5 80 35 df 65 12 80 66 9f 3e 42
> 41 03 fe 70 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64 21 05 31 36 35
> Code:       Access-Reject
> Identifier: 52
> Authentic:  <29>rW<223><165><165>,<151><164><138>B_@<194>=<232>
> Attributes:
>         Reply-Message = "Request Denied"
>         Proxy-State = 165
>
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of Hugh Irvine
> Sent: Saturday, August 07, 2004 2:49 PM
> To: scottxiao at antlabs.com
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Error "TLS could not load_verify_locations" -
> FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN
>
>
>
> Hello Scott -
>
> The problem is that Radiator cannot find the CA certificates because
> neither EAPTLS_CAFile nor EAPTLS_CAPath are defined.
>
> The example configuration file "goodies/eap_tls.cfg" shows a working
> example.
>
> regards
>
> Hugh
>
> On 7 Aug 2004, at 13:26, Scott Xiao - ANTlabs wrote:
> > Thanks Hugh!
> > But I still don't understand what relationship between that message
> > and my
> > problem of PEAP "EAP TLS Could not  initialise context". Since I have a
> > certificate from FreeSSL,do I still need the cert in
> > "demoCA/cacert.pem"  ?
> > Do you have a samle configure of using actual certificate instead of
> > self-signed certificate?Thanks!
> > Rgds
> > Scott
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: Saturday, August 07, 2004 7:32 AM
> > To: scottxiao at antlabs.com
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) Error "TLS could not load_verify_locations" -
> > FreeSSL certificate for Radiator 802.1x PEAP/aironet1100 WLAN
> >
> >
> >
> > Hello Scott -
> >
> > The complete message is this:
> >
> > TLS.pm:     $parent->log($main::LOG_ERR, "TLS could not
> > load_verify_locations $parent->{EAPTLS_CAFile},
> > $parent->{EAPTLS_CAPath}: $errs");
> >
> > See the example configuration file in "goodies/eap_tls.cfg".
> >
> > Here is the relevant section:
> >
> >                  # EAPTLS_CAFile is the name of a file of CA
> > certificates
> >                  # in PEM format. The file can contain several CA
> > certificates
> >                  # Radiator will first look in EAPTLS_CAFile then in
> >                  # EAPTLS_CAPath, so there usually is no need to set
> > both
> >                  EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> >
> >                  # EAPTLS_CAPath is the name of a directory containing
> > CA
> >                  # certificates (and possible CRLs) in PEM format. The
> > files each contain one
> >                  # CA certificate. The files are looked up by the CA
> >                  # subject name hash value
> > #               EAPTLS_CAPath %D/certificates/demoCA
> >
> > regards
> >
> > Hugh
> >
> > On 7 Aug 2004, at 01:22, Scott Xiao - ANTlabs wrote:
> >> Hi,
> >> Thanks for all the help on my timer issue,PEAP,acct stop issue,all
> >> those
> >> resolved.
> >> The current issue is,I got an error of "TLS could not
> >> load_verify_locations"
> >> with an actually certificate,see the config file and debug below.
> >> I purchased a server ceriticate from freessl.com , copy the text part
> >> of the
> >> cert into a text file and saved in the certificate directory of
> >> radiator as
> >> a .pem file, together with the private key file (.key file).Then I
> >> modified
> >> the config file  to point the path to the certificate
> >> directory,instead of
> >> using the sample certificates.I found the sample pem file has 2
> >> parts,public
> >> key and private key inside,while my pem file (server cert) has only
> >> one
> >> part,which is the server server cert itself.But I don't think it's
> >> issue
> >> since the comments in the file says it could be the same file for the
> >> keys.Then I tested,and got the error as mentioned.Can you advise what
> >> 's the
> >> problem?FreeSSL's webserver cert should work in this senario,right?How
> >> to
> >> make a pem file to have 2 parts like the samle one?Thanks!!
> >> Rgds
> >> Scott
> >>
> >>
> >> config file:
> >>
> >>   EAPType PEAP,MSCHAP-V2
> >>
> >>
> >>                 EAPTLS_CertificateFile
> >> %D/certificates/myhost.antlabs.com.pem
> >>
> >>                 EAPTLS_CertificateType PEM
> >>                 #EAPTLS_CertificateType CRT
> >>
> >>                 # EAPTLS_PrivateKeyFile is the name of the file
> >> containing
> >>                 # the servers private key. It is sometimes in the same
> >> file
> >>                 # as the server certificate (EAPTLS_CertificateFile)
> >>                 # If the private key is encrypted (usually the case)
> >>                 # then EAPTLS_PrivateKeyPassword is the key to
> >> descrypt it
> >>                 #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> >>                 EAPTLS_PrivateKeyFile
> >> %D/certificates/myhost.antlabs.com.key
> >>                 #EAPTLS_PrivateKeyFile
> >> /etc/radiator/certificates/myhost.antlabs.com.key
> >> #               EAPTLS_PrivateKeyFile %D/certificates/myhost.pem
> >>                 #EAPTLS_PrivateKeyPassword whatever
> >>                 EAPTLS_PrivateKeyPassword hiddenpassword
> >>
> >> Debuging info:
> >>
> >> [root at AAA Radiator-3.9]# ./radiusd -foreground  -config_file ./tt1.cfg
> >> Fri Aug  6 23:04:27 2004: DEBUG: Finished reading configuration file
> >> './tt1.cfg'
> >> Fri Aug  6 23:04:27 2004: DEBUG: Reading dictionary file
> >> '/usr/src/802/radiator/Radiator-3.9/dictionary'
> >> Fri Aug  6 23:04:27 2004: DEBUG: Creating authentication port
> >> 0.0.0.0:1812
> >> Fri Aug  6 23:04:27 2004: DEBUG: Creating accounting port 0.0.0.0:1813
> >> Fri Aug  6 23:04:27 2004: NOTICE: Server started: Radiator 3.9 on AAA
> >>
> >>
> >>
> >> Fri Aug  6 23:04:50 2004: DEBUG: Packet dump:
> >> *** Received from 192.168.123.9 port 1814 ....
> >>
> >> Packet length = 266
> >> 01 2a 01 0a 6b 23 57 6b 5f b8 ea 46 bd 67 35 ac
> >> 73 e7 51 2a 01 07 68 65 6c 6c 6f 1a 36 00 00 37
> >> 2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
> >> 63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
> >> 6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
> >> 58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
> >> 72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
> >> 06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
> >> 19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
> >> 43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
> >> 46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
> >> 78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
> >> 62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
> >> 18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
> >> 38 30 32 2e 31 31 62 4f 0c 02 01 00 0a 01 68 65
> >> 6c 6c 6f 50 12 a3 6c 26 6a 29 c3 cf 09 f1 3a af
> >> e2 a7 d9 7a 27 21 05 31 35 35
> >> Code:       Access-Request
> >> Identifier: 42
> >> Authentic:  k#Wk_<184><234>F<189>g5<172>s<231>Q*
> >> Attributes:
> >>         User-Name = "hello"
> >>         WISPr-Location-ID =
> >> "isocc=(null),cc=(null),ac=(null),network=GEM1X"
> >>         WISPr-Location-Name = "operator,location"
> >>         NAS-IP-Address = 10.0.0.1
> >>         Service-Type = Framed-User
> >>         NAS-Port = 3
> >>         NAS-Port-Id = "3"
> >>         Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
> >>         Calling-Station-Id = "00-0C-F1-08-37-BF"
> >>         Framed-MTU = 1400
> >>         NAS-Port-Type = Wireless-IEEE-802-11
> >>         NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
> >>         Connect-Info = "CONNECT 11Mbps 802.11b"
> >>         EAP-Message = <2><1><0><10><1>hello
> >>         Message-Authenticator =
> >> <163>l&j)<195><207><9><241>:<175><226><167><217>z'
> >>         Proxy-State = 155
> >>
> >> Fri Aug  6 23:04:50 2004: DEBUG: Handling request with Handler ''
> >> Fri Aug  6 23:04:50 2004: DEBUG:  Deleting session for hello,
> >> 10.0.0.1, 3
> >> Fri Aug  6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL
> >> Fri Aug  6 23:04:50 2004: DEBUG: Handling with Radius::AuthSQL:
> >> Fri Aug  6 23:04:50 2004: DEBUG: Handling with EAP: code 2, 1, 10
> >> Fri Aug  6 23:04:50 2004: DEBUG: Response type 1
> >> Fri Aug  6 23:04:50 2004: ERR: TLS could not load_verify_locations , :
> >> Fri Aug  6 23:04:50 2004: DEBUG: EAP result: 1, EAP TLS Could not
> >> initialise
> >> context
> >> Fri Aug  6 23:04:50 2004: INFO: Access rejected for hello: EAP TLS
> >> Could not
> >> initialise context
> >> Fri Aug  6 23:04:50 2004: DEBUG: Packet dump:
> >> *** Sending to 192.168.123.9 port 1814 ....
> >>
> >> Packet length = 41
> >> 03 2a 00 29 de 49 a8 63 73 f4 3d 7e 46 3b f0 77
> >> f0 4e 7e 85 12 10 52 65 71 75 65 73 74 20 44 65
> >> 6e 69 65 64 21 05 31 35 35
> >> Code:       Access-Reject
> >> Identifier: 42
> >> Authentic:  k#Wk_<184><234>F<189>g5<172>s<231>Q*
> >> Attributes:
> >>         Reply-Message = "Request Denied"
> >>         Proxy-State = 155
> >>
> >> Fri Aug  6 23:05:05 2004: DEBUG: Packet dump:
> >> *** Received from 192.168.123.9 port 1814 ....
> >>
> >> Packet length = 266
> >> 01 2b 01 0a 64 a2 eb e1 33 a6 36 6a ea dd 0b e5
> >> be e9 8b 22 01 07 73 63 6f 74 74 1a 36 00 00 37
> >> 2a 01 30 69 73 6f 63 63 3d 28 6e 75 6c 6c 29 2c
> >> 63 63 3d 28 6e 75 6c 6c 29 2c 61 63 3d 28 6e 75
> >> 6c 6c 29 2c 6e 65 74 77 6f 72 6b 3d 47 45 4d 31
> >> 58 1a 19 00 00 37 2a 02 13 6f 70 65 72 61 74 6f
> >> 72 2c 6c 6f 63 61 74 69 6f 6e 04 06 0a 00 00 01
> >> 06 06 00 00 00 02 05 06 00 00 00 03 57 03 33 1e
> >> 19 30 30 2d 39 30 2d 34 42 2d 37 42 2d 41 31 2d
> >> 43 30 3a 47 45 4d 31 58 1f 13 30 30 2d 30 43 2d
> >> 46 31 2d 30 38 2d 33 37 2d 42 46 0c 06 00 00 05
> >> 78 3d 06 00 00 00 13 20 18 30 30 2d 39 30 2d 34
> >> 62 2d 37 62 2d 61 31 2d 63 30 3a 50 33 32 30 4d
> >> 18 43 4f 4e 4e 45 43 54 20 31 31 4d 62 70 73 20
> >> 38 30 32 2e 31 31 62 4f 0c 02 02 00 0a 01 73 63
> >> 6f 74 74 50 12 80 4b 89 4b 8f ad 7a c7 a3 d5 a6
> >> 5e b0 d6 23 19 21 05 31 35 36
> >> Code:       Access-Request
> >> Identifier: 43
> >> Authentic:
> >> d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
> >> Attributes:
> >>         User-Name = "scott"
> >>         WISPr-Location-ID =
> >> "isocc=(null),cc=(null),ac=(null),network=GEM1X"
> >>         WISPr-Location-Name = "operator,location"
> >>         NAS-IP-Address = 10.0.0.1
> >>         Service-Type = Framed-User
> >>         NAS-Port = 3
> >>         NAS-Port-Id = "3"
> >>         Called-Station-Id = "00-90-4B-7B-A1-C0:GEM1X"
> >>         Calling-Station-Id = "00-0C-F1-08-37-BF"
> >>         Framed-MTU = 1400
> >>         NAS-Port-Type = Wireless-IEEE-802-11
> >>         NAS-Identifier = "00-90-4b-7b-a1-c0:P320"
> >>         Connect-Info = "CONNECT 11Mbps 802.11b"
> >>         EAP-Message = <2><2><0><10><1>scott
> >>         Message-Authenticator =
> >> <128>K<137>K<143><173>z<199><163><213><166>^<176><214>#<25>
> >>         Proxy-State = 156
> >>
> >> Fri Aug  6 23:05:05 2004: DEBUG: Handling request with Handler ''
> >> Fri Aug  6 23:05:05 2004: DEBUG:  Deleting session for scott,
> >> 10.0.0.1, 3
> >> Fri Aug  6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL
> >> Fri Aug  6 23:05:05 2004: DEBUG: Handling with Radius::AuthSQL:
> >> Fri Aug  6 23:05:05 2004: DEBUG: Handling with EAP: code 2, 2, 10
> >> Fri Aug  6 23:05:05 2004: DEBUG: Response type 1
> >> Fri Aug  6 23:05:05 2004: ERR: TLS could not load_verify_locations , :
> >> Fri Aug  6 23:05:05 2004: DEBUG: EAP result: 1, EAP TLS Could not
> >> initialise
> >> context
> >> Fri Aug  6 23:05:05 2004: INFO: Access rejected for scott: EAP TLS
> >> Could not
> >> initialise context
> >> Fri Aug  6 23:05:05 2004: DEBUG: Packet dump:
> >> *** Sending to 192.168.123.9 port 1814 ....
> >>
> >> Packet length = 41
> >> 03 2b 00 29 43 89 dc ac 25 80 f5 79 2e df dc b9
> >> 46 58 5b 41 12 10 52 65 71 75 65 73 74 20 44 65
> >> 6e 69 65 64 21 05 31 35 36
> >> Code:       Access-Reject
> >> Identifier: 43
> >> Authentic:
> >> d<162><235><225>3<166>6j<234><221><11><229><190><233><139>"
> >> Attributes:
> >>         Reply-Message = "Request Denied"
> >>         Proxy-State = 156
> >>
> >>
> >> [root at AAA Radiator-3.9]#
> >>
> >> [root at AAA certificates]# ls
> >> cert-clt.p12  demoCA                   myhost.antlabs.com.pem
> >> root.pem
> >> cert-clt.pem  myhost.antlabs.com.crt  README
> >> cert-srv.pem  myhost.antlabs.com.key  root.der
> >> [root at AAA certificates]#
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> >> Behalf Of Bon sy
> >> Sent: Tuesday, August 03, 2004 7:10 PM
> >> To: Terry Simons
> >> Cc: scottxiao at antlabs.com; radiator at open.com.au
> >> Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100
> >> WLAN
> >>
> >>
> >> Hi Scott and Terry,
> >>
> >> 	If your main concern is the cost as Terry mentioned, you may want
> >> to consider building your own CA using openssl. If a moderate cost
> >> investment may fit your budget, you may want to look into CATool as
> >> Mike/Hugh has suggested previously.
> >>
> >> 	We have tried and used both. Building your own CA using openssl is
> >> more involved --- and obviously you have to provide your own technical
> >> support --- in comparing to using CATool. If you do want to build your
> >> own
> >> CA using openssl and to avoid the frustration causing your late night
> >> sleepless symtom, we find it important to build up the comfort level
> >> on
> >> openssl, perl, and Linux, and definitely read up a lot from the
> >> mailing
> >> list, before doing it.
> >>
> >> Bon
> >>
> >> On Mon, 2 Aug 2004, Terry Simons wrote:
> >>> Hi Scott,
> >>>
> >>> You *can* reuse a server certificate in another location later.
> >>>
> >>> The domain name has no real significance, except that you need to
> >>> verify it on the client to ensure that your clients are secure.  The
> >>> domain can be whatever you like, and can exist on multiple servers...
> >>> there is no inherent tie to any given server.
> >>>
> >>> That said, it is probably *not* a good idea to reuse certificates in
> >>> a
> >>> production environment, but it does work.
> >>>
> >>> Is the main reason why you are purchasing certificates to ensure that
> >>> the client has a pre-installed CA certificate that will verify your
> >>> certificate, or for some other reason?
> >>>
> >>> If your main concern is the cost, you should probably consider
> >>> rolling
> >>> your own certificates.
> >>>
> >>> - Terry
> >>>
> >>> On Aug 2, 2004, at 8:59 PM, Scott Xiao - ANTlabs wrote:
> >>>> Hi,
> >>>> Can any of you recommend one workable Radius(Radiator) server
> >>>> certificate
> >>>> besides Verisign?I want to buy a cheaper one,use it in  802.1x PEAP
> >>>> WLAN
> >>>> hotspot.If I use it for domain "hostname.mydomain.com" ,can I use
> >>>> the
> >>>> same
> >>>> certificate in future if I deploy a same WLAN in another place which
> >>>> will
> >>>> still use the same domain name?Thanks!
> >>>> Rgds
> >>>> Scott Xiao
> >>>> -----Original Message-----
> >>>> From: owner-radiator at open.com.au
> >>>> [mailto:owner-radiator at open.com.au]On
> >>>> Behalf Of Terry Simons
> >>>> Sent: Thursday, July 29, 2004 1:15 PM
> >>>> To: Christian Wiedmann
> >>>> Cc: radiator at open.com.au
> >>>> Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100
> >>>> WLAN
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> On Jul 28, 2004, at 1:32 PM, Christian Wiedmann wrote:
> >>>>> As far as I know, the XP server extension OID is the one that is
> >>>>> also
> >>>>> used for web servers.  Therefore, a web server certificate should
> >>>>> work.
> >>>>
> >>>> This is true.  There is one thing that people should probably be
> >>>> aware
> >>>> of, however.
> >>>>
> >>>> At the last Networld + Interop HotStage, we did some extensive
> >>>> testing
> >>>> with this and it was determined that what should probably happen is
> >>>> to
> >>>> officially apply for some OIDs for 802.1X authentication servers.
> >>>> One
> >>>> of the HotStage members that is involved in the IETF and the IEEE is
> >>>> pushing that a bit, so it could be the case that a "proper" OID set
> >>>> will come out in the future.  It could be a ways out, but I
> >>>> personally
> >>>> hope that it happens so we can have an "official" way of creating
> >>>> "802.1X authentication" certificates.
> >>>>
> >>>> - Terry
> >>>>
> >>>>> For what it's worth, I've successfully used a Verisign web server
> >>>>> certificate
> >>>>> for PEAP authentication against Windows XP SP1.  I think there's a
> >>>>> good
> >>>>> chance a freessl certificate would work too.
> >>>>>
> >>>>> 	-Christian
> >>>>>
> >>>>> ref.:
> >>>>> http://support.microsoft.com/?kbid=814394
> >>>>> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.1.html
> >>>>> http://www.ietf.org/rfc/rfc2459.txt
> >>>>>
> >>>>> On Wed, 28 Jul 2004, Mike McCauley wrote:
> >>>>>> Date: Wed, 28 Jul 2004 19:35:44 +1000
> >>>>>> From: Mike McCauley <mikem at open.com.au>
> >>>>>> To: scottxiao at antlabs.com
> >>>>>> Cc: Radiator <radiator at open.com.au>
> >>>>>> Subject: Re: (RADIATOR) SSL certificate for  802.1x
> >>>>>> PEAP/aironet1100
> >>>>>> WLAN
> >>>>>>
> >>>>>> Hi Scott,
> >>>>>>
> >>>>>> On Wednesday 28 July 2004 18:41, Scott Xiao  - ANTlabs wrote:
> >>>>>>> Hi,Mike,
> >>>>>>> Thanks, so do you have any suggestion that I can purchase
> >>>>>>> regarding
> >>>>>>> the
> >>>>>>> cert for radius server?Verisign?which type?If you have any
> >>>>>>> recommendation
> >>>>>>> that it works well on Radiator....Thanks
> >>>>>>
> >>>>>> Verisign offer certificates for radius servers, but I dont know
> >>>>>> the
> >>>>>> details of
> >>>>>> how to apply for one. They do work with Radiator. You should try
> >>>>>> to
> >>>>>> get it in
> >>>>>> PEM format.
> >>>>>>
> >>>>>> Cheers.
> >>>>>
> >>>>> --
> >>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>> Announcements on radiator-announce at open.com.au
> >>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>> 'unsubscribe radiator' in the body of the message.
> >>>>
> >>>> --
> >>>> Archive at http://www.open.com.au/archives/radiator/
> >>>> Announcements on radiator-announce at open.com.au
> >>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >>
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > NB: have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list