(RADIATOR) Problem with public certificate

Fernando Romao fromao at fe.up.pt
Wed Aug 29 09:09:48 CDT 2007 

Hugh,

The certificate is in pem format and it is installed on radius server.
The log is attached.


Thanks
Fernando

----- Configuration ------
<Handler Realm=fe.up.pt>
        RejectHasReason
        
        SessionDatabase  accountSQLDB
        AuthByPolicy ContinueAlways  
        AuthBy SQLAccounting
        RewriteUsername s/^([^@]+).*/$1/
        
        <AuthBy FILE>

                Filename /etc/raddb/users
                
                EAPType PEAP, MSCHAP-V2, TTLS, MD5-Challenge
                
                EAPTLS_CAFile
/root/Radiator-Current/certificates/CA/c1400ca.pem
                
                EAPTLS_CAPath /root/Radiator-Current/certificates/CA/
                
                EAPTLS_CertificateFile
/root/Radiator-Current/certificates/GlobalSign_Wildcard_keycert.pem
                EAPTLS_CertificateType PEM
                
                EAPTLS_PrivateKeyFile
/root/Radiator-Current/certificates/GlobalSign_Wildcard_keycert.pem
                EAPTLS_PrivateKeyPassword passradiator
                
                EAPTLS_MaxFragmentSize 1024
                
                AutoMPPEKeys
                
                SSLeayTrace 4
                
                EAPAnonymous anonymous at fe.up.pt
                
        </AuthBy>
        PostProcessingHook file:"/etc/raddb/hooks/hook_test.pl"
        
</Handler>
-----------------------------

-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: quarta-feira, 29 de Agosto de 2007 11:40
To: Fernando Romao
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Problem with public certificate


Hello Fernando -

Could you please send me a copy of your configuration file together  
with a more complete trace 4 debug showing what is happening?

What format is the certificate in? and where is it installed?

regards

Hugh


On 29 Aug 2007, at 19:17, Fernando Romao wrote:

> Hi,
>
>
>
> I purchase a public wildcard certificate for our ALTEON load  
> balancer and i'm trying to use it on the RADIATOR server for PEAP  
> wireless users validate the server. But I'm having an error during  
> the authentication.
>
> Error:
>
> ---------------
>
> Tue Aug 28 17:55:49 2007: ERR: EAP PEAP TLS read failed:  26626: 1  
> - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access  
> denied
>
>
>
> Tue Aug 28 17:55:49 2007: DEBUG: EAP result: 1, EAP PEAP TLS read  
> failed
>
> Tue Aug 28 17:55:49 2007: DEBUG: AuthBy FILE result: REJECT, EAP  
> PEAP TLS read failed
>
> Tue Aug 28 17:55:49 2007: INFO: Access rejected for romao: EAP PEAP  
> TLS read failed
>
> Tue Aug 28 17:55:49 2007: DEBUG: Packet dump:
>
> *** Sending to 172.20.51.48 port 1645 ....
>
> Code:       Access-Reject
>
> Identifier: 189
>
> Authentic:  <0>/slhS<178><248><186>M<127><197><245>q<172><146>
>
> Attributes:
>
>         Reply-Message = "EAP PEAP TLS read failed"
>
> -----------------
>
>
>
> This are the certificate extensions, is missing some special  
> extension? If not what could be the problem?
>
> Thanks
>
> Fernando
>
>
>
> -----------
>
>         X509v3 extensions:
>
>             X509v3 Authority Key Identifier:
>
>                 keyid:7D:6D:2A:EC:66:AB:A7:51:36:AB: 
> 02:69:F1:70:8F:C4:59:0B:9A:1F
>
>
>
>             Authority Information Access:
>
>                 CA Issuers - URI:http://secure.globalsign.net/ 
> cacert/orgv1.crt
>
>
>
>             X509v3 CRL Distribution Points:
>
>                 URI:http://crl.globalsign.net/OrganizationVal1.crl
>
>
>
>             X509v3 Subject Key Identifier:
>
>                 94:18:C5:D6:93:DD: 
> 96:D2:97:93:52:55:75:D7:36:86:DA:F5:62:43
>
>             X509v3 Basic Constraints:
>
>                 CA:FALSE
>
>             X509v3 Key Usage: critical
>
>                 Digital Signature, Key Encipherment
>
>             X509v3 Extended Key Usage:
>
>                 TLS Web Server Authentication, TLS Web Client  
> Authentication, Microsoft Server Gated Crypto
>
>             X509v3 Certificate Policies:
>
>                 Policy: 1.3.6.1.4.1.4146.1.20
>
>                   CPS: http://www.globalsign.net/repository/
>
>
>
>             Netscape Cert Type:
>
>                 SSL Client, SSL Server
>
>     Signature Algorithm: sha1WithRSAEncryption
>
>
>
> ---------------------
>
>
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: full-log.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20070829/9d85022f/attachment.txt>

More information about the radiator mailing list