(RADIATOR) Problem with public certificate
Mike McCauley
mikem at open.com.au
Wed Aug 29 17:45:01 CDT 2007
Hello Fernando,
Its hard to be sure without seeing the full level 4 log file, but it appears
that the supplicant is sending a TLS alert to Radiator:
> > Tue Aug 28 17:55:49 2007: ERR: EAP PEAP TLS read failed: 26626: 1
> > - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access
> > denied
This is most likely due to the supplicant not liking the server certificate
for some reason. The most common reasons are:
1. No root certificate installed on the supplicacnt corresponding to the
server certificate
2. Clock on the supplicant outside the validity ranges of the server
certificate (or root certificate)
3. Server certificate verification on the supplicant failed (maybe it expected
a certificate with another server name?)
You should probaly consult your supplicant logs to find out exactly what it
think s the problem is.
Cheers.
On Thursday 30 August 2007 00:09, Fernando Romao wrote:
> Hugh,
>
> The certificate is in pem format and it is installed on radius server.
> The log is attached.
>
>
> Thanks
> Fernando
>
> ----- Configuration ------
> <Handler Realm=fe.up.pt>
> RejectHasReason
>
> SessionDatabase accountSQLDB
> AuthByPolicy ContinueAlways
> AuthBy SQLAccounting
> RewriteUsername s/^([^@]+).*/$1/
>
> <AuthBy FILE>
>
> Filename /etc/raddb/users
>
> EAPType PEAP, MSCHAP-V2, TTLS, MD5-Challenge
>
> EAPTLS_CAFile
> /root/Radiator-Current/certificates/CA/c1400ca.pem
>
> EAPTLS_CAPath /root/Radiator-Current/certificates/CA/
>
> EAPTLS_CertificateFile
> /root/Radiator-Current/certificates/GlobalSign_Wildcard_keycert.pem
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile
> /root/Radiator-Current/certificates/GlobalSign_Wildcard_keycert.pem
> EAPTLS_PrivateKeyPassword passradiator
>
> EAPTLS_MaxFragmentSize 1024
>
> AutoMPPEKeys
>
> SSLeayTrace 4
>
> EAPAnonymous anonymous at fe.up.pt
>
> </AuthBy>
> PostProcessingHook file:"/etc/raddb/hooks/hook_test.pl"
>
> </Handler>
> -----------------------------
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Hugh Irvine
> Sent: quarta-feira, 29 de Agosto de 2007 11:40
> To: Fernando Romao
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Problem with public certificate
>
>
> Hello Fernando -
>
> Could you please send me a copy of your configuration file together
> with a more complete trace 4 debug showing what is happening?
>
> What format is the certificate in? and where is it installed?
>
> regards
>
> Hugh
>
> On 29 Aug 2007, at 19:17, Fernando Romao wrote:
> > Hi,
> >
> >
> >
> > I purchase a public wildcard certificate for our ALTEON load
> > balancer and i'm trying to use it on the RADIATOR server for PEAP
> > wireless users validate the server. But I'm having an error during
> > the authentication.
> >
> > Error:
> >
> > ---------------
> >
> > Tue Aug 28 17:55:49 2007: ERR: EAP PEAP TLS read failed: 26626: 1
> > - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access
> > denied
> >
> >
> >
> > Tue Aug 28 17:55:49 2007: DEBUG: EAP result: 1, EAP PEAP TLS read
> > failed
> >
> > Tue Aug 28 17:55:49 2007: DEBUG: AuthBy FILE result: REJECT, EAP
> > PEAP TLS read failed
> >
> > Tue Aug 28 17:55:49 2007: INFO: Access rejected for romao: EAP PEAP
> > TLS read failed
> >
> > Tue Aug 28 17:55:49 2007: DEBUG: Packet dump:
> >
> > *** Sending to 172.20.51.48 port 1645 ....
> >
> > Code: Access-Reject
> >
> > Identifier: 189
> >
> > Authentic: <0>/slhS<178><248><186>M<127><197><245>q<172><146>
> >
> > Attributes:
> >
> > Reply-Message = "EAP PEAP TLS read failed"
> >
> > -----------------
> >
> >
> >
> > This are the certificate extensions, is missing some special
> > extension? If not what could be the problem?
> >
> > Thanks
> >
> > Fernando
> >
> >
> >
> > -----------
> >
> > X509v3 extensions:
> >
> > X509v3 Authority Key Identifier:
> >
> > keyid:7D:6D:2A:EC:66:AB:A7:51:36:AB:
> > 02:69:F1:70:8F:C4:59:0B:9A:1F
> >
> >
> >
> > Authority Information Access:
> >
> > CA Issuers - URI:http://secure.globalsign.net/
> > cacert/orgv1.crt
> >
> >
> >
> > X509v3 CRL Distribution Points:
> >
> > URI:http://crl.globalsign.net/OrganizationVal1.crl
> >
> >
> >
> > X509v3 Subject Key Identifier:
> >
> > 94:18:C5:D6:93:DD:
> > 96:D2:97:93:52:55:75:D7:36:86:DA:F5:62:43
> >
> > X509v3 Basic Constraints:
> >
> > CA:FALSE
> >
> > X509v3 Key Usage: critical
> >
> > Digital Signature, Key Encipherment
> >
> > X509v3 Extended Key Usage:
> >
> > TLS Web Server Authentication, TLS Web Client
> > Authentication, Microsoft Server Gated Crypto
> >
> > X509v3 Certificate Policies:
> >
> > Policy: 1.3.6.1.4.1.4146.1.20
> >
> > CPS: http://www.globalsign.net/repository/
> >
> >
> >
> > Netscape Cert Type:
> >
> > SSL Client, SSL Server
> >
> > Signature Algorithm: sha1WithRSAEncryption
> >
> >
> >
> > ---------------------
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list