[RADIATOR] No Shared Cipher

Corey Gray corey at tsa.com.au
Mon Feb 8 22:24:14 CST 2010


Hi Hugh,
  The EAP prerequisites are installed. And the client in this case is the WAP and it has no options to install certificates. When creating certificates the script outputs this.

*********************************************************************************
Creating self-signed private key and certificate
When prompted override the default value for the Common Name field
*********************************************************************************

What is the common name meant to be here? The server hosting Radius or something else

Then the second Step in the script

*********************************************************************************
Creating client private key and certificate
When prompted enter the client name in the Common Name field. This is the same
 used as the Username in FreeRADIUS
*********************************************************************************

Which username are they talking about here.. it would be prohibitive if this was the logon name as you would need certificates for every person that logs on.

The third step is where you enter the server name for the certificate.
Im finding it hard to find documentation on this part of radius. Any help is greatly appreciated.

Regards

Corey
---Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Tuesday, 9 February 2010 12:49 PM
To: Corey Gray
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] No Shared Cipher


Hello Corey -

Have you installed all of the EAP prerequisites? And have you installed the correct certificate(s) on the client(s)?

And have you checked that the shared secrets are correct?

regards

Hugh


On 9 Feb 2010, at 13:00, Corey Gray wrote:

> Hi all
> Im currently getting a No Shared cipher error when trying to connect to my radius server. I have read that it could have been a corrupted directory so I removed the directory and reestablished it. If I can get this bit working then I will have a working radius server. Thanks in advance
>
>
> here is a trace
>
> Tue Feb  9 01:54:56 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Tue Feb  9 01:54:56 2010: DEBUG:  Deleting session for corey, 192.168.***.***, 59
> Tue Feb  9 01:54:56 2010: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb  9 01:54:56 2010: DEBUG: Handling with EAP: code 2, 1, 84, 21
> Tue Feb  9 01:54:56 2010: DEBUG: Response type 21
> Tue Feb  9 01:54:56 2010: DEBUG: EAP TTLS data, 24576, 1, -1
> Tue Feb  9 01:54:56 2010: DEBUG: EAP TTLS SSL_accept result: -1, 1, 8466
> Tue Feb  9 01:54:56 2010: ERR: EAP TTLS error: -1, 1, 8466,  5476: 1 - error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> Tue Feb  9 01:54:56 2010: DEBUG: EAP result: 1, EAP TTLS error
> Tue Feb  9 01:54:56 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS error
> Tue Feb  9 01:54:56 2010: INFO: Access rejected for corey: EAP TTLS error
> Tue Feb  9 01:54:56 2010: DEBUG: Packet dump:
>
> And here is the config
>
> Foreground
> LogStdout
> BindAddress     192.168.***.***
> LogDir          /var/log/radius
> DbDir           /etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace           4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
>          Secret  ***
>         DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> <AuthBy FILE>
>         Filename %D/users
>         EAPType TTLS, MSCHAP-V2
>         EAPTLS_CAPath /etc/radiator/certificates/private/cakey.pem
>         EAPTLS_CertificateFile /etc/radiator/certificates/RadiatorCert.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_MaxFragmentSize 1000
>         EAPTTLS_NoAckRequired
> </AuthBy>
> # Log accounting to a detail file
> AcctLogFileName %L/detail
> #<AuthBy KRB5>
> #               KrbRealm = TSA
> #       </AuthBy>
> #</Realm>
>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4849 (20100208) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





__________ Information from ESET NOD32 Antivirus, version of virus signature database 4849 (20100208) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4849 (20100208) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



More information about the radiator mailing list