(RADIATOR) Problem with public certificate
Fernando Romao
fromao at fe.up.pt
Wed Aug 29 09:09:48 CDT 2007
Hugh,
The certificate is in pem format and it is installed on radius server.
The log is attached.
Thanks
Fernando
----- Configuration ------
<Handler Realm=fe.up.pt>
RejectHasReason
SessionDatabase accountSQLDB
AuthByPolicy ContinueAlways
AuthBy SQLAccounting
RewriteUsername s/^([^@]+).*/$1/
<AuthBy FILE>
Filename /etc/raddb/users
EAPType PEAP, MSCHAP-V2, TTLS, MD5-Challenge
EAPTLS_CAFile
/root/Radiator-Current/certificates/CA/c1400ca.pem
EAPTLS_CAPath /root/Radiator-Current/certificates/CA/
EAPTLS_CertificateFile
/root/Radiator-Current/certificates/GlobalSign_Wildcard_keycert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/root/Radiator-Current/certificates/GlobalSign_Wildcard_keycert.pem
EAPTLS_PrivateKeyPassword passradiator
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 4
EAPAnonymous anonymous at fe.up.pt
</AuthBy>
PostProcessingHook file:"/etc/raddb/hooks/hook_test.pl"
</Handler>
-----------------------------
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: quarta-feira, 29 de Agosto de 2007 11:40
To: Fernando Romao
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Problem with public certificate
Hello Fernando -
Could you please send me a copy of your configuration file together
with a more complete trace 4 debug showing what is happening?
What format is the certificate in? and where is it installed?
regards
Hugh
On 29 Aug 2007, at 19:17, Fernando Romao wrote:
> Hi,
>
>
>
> I purchase a public wildcard certificate for our ALTEON load
> balancer and i'm trying to use it on the RADIATOR server for PEAP
> wireless users validate the server. But I'm having an error during
> the authentication.
>
> Error:
>
> ---------------
>
> Tue Aug 28 17:55:49 2007: ERR: EAP PEAP TLS read failed: 26626: 1
> - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access
> denied
>
>
>
> Tue Aug 28 17:55:49 2007: DEBUG: EAP result: 1, EAP PEAP TLS read
> failed
>
> Tue Aug 28 17:55:49 2007: DEBUG: AuthBy FILE result: REJECT, EAP
> PEAP TLS read failed
>
> Tue Aug 28 17:55:49 2007: INFO: Access rejected for romao: EAP PEAP
> TLS read failed
>
> Tue Aug 28 17:55:49 2007: DEBUG: Packet dump:
>
> *** Sending to 172.20.51.48 port 1645 ....
>
> Code: Access-Reject
>
> Identifier: 189
>
> Authentic: <0>/slhS<178><248><186>M<127><197><245>q<172><146>
>
> Attributes:
>
> Reply-Message = "EAP PEAP TLS read failed"
>
> -----------------
>
>
>
> This are the certificate extensions, is missing some special
> extension? If not what could be the problem?
>
> Thanks
>
> Fernando
>
>
>
> -----------
>
> X509v3 extensions:
>
> X509v3 Authority Key Identifier:
>
> keyid:7D:6D:2A:EC:66:AB:A7:51:36:AB:
> 02:69:F1:70:8F:C4:59:0B:9A:1F
>
>
>
> Authority Information Access:
>
> CA Issuers - URI:http://secure.globalsign.net/
> cacert/orgv1.crt
>
>
>
> X509v3 CRL Distribution Points:
>
> URI:http://crl.globalsign.net/OrganizationVal1.crl
>
>
>
> X509v3 Subject Key Identifier:
>
> 94:18:C5:D6:93:DD:
> 96:D2:97:93:52:55:75:D7:36:86:DA:F5:62:43
>
> X509v3 Basic Constraints:
>
> CA:FALSE
>
> X509v3 Key Usage: critical
>
> Digital Signature, Key Encipherment
>
> X509v3 Extended Key Usage:
>
> TLS Web Server Authentication, TLS Web Client
> Authentication, Microsoft Server Gated Crypto
>
> X509v3 Certificate Policies:
>
> Policy: 1.3.6.1.4.1.4146.1.20
>
> CPS: http://www.globalsign.net/repository/
>
>
>
> Netscape Cert Type:
>
> SSL Client, SSL Server
>
> Signature Algorithm: sha1WithRSAEncryption
>
>
>
> ---------------------
>
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: full-log.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20070829/9d85022f/attachment.txt>
More information about the radiator
mailing list