[RADIATOR] No Shared Cipher

Hugh Irvine hugh at open.com.au
Tue Feb 9 00:17:09 CST 2010 

Hello Corey -

What script are you referring to?

Radiator includes test certificates in the "certificates" directory, and you need to install the client certificate on the end-user machine (called a supplicant in EAP).

Ie. the end-user machine (PC, Mac, iPhone, etc.) needs to have the certificate corresponding to the RADIUS server installed. See the README file in the "certificates" directory. The WAP simply proxies the RADIUS requests from the supplicant to the server and returns the responses.

There are numerous sources of information on EAP listed on our FAQ page.

See http://www.open.com.au/radiator/faq.html#149 and http://www.open.com.au/radiator/faq.html#155.

regards

Hugh


On 9 Feb 2010, at 15:24, Corey Gray wrote:

> Hi Hugh,
>  The EAP prerequisites are installed. And the client in this case is the WAP and it has no options to install certificates. When creating certificates the script outputs this.
> 
> *********************************************************************************
> Creating self-signed private key and certificate
> When prompted override the default value for the Common Name field
> *********************************************************************************
> 
> What is the common name meant to be here? The server hosting Radius or something else
> 
> Then the second Step in the script
> 
> *********************************************************************************
> Creating client private key and certificate
> When prompted enter the client name in the Common Name field. This is the same
> used as the Username in FreeRADIUS
> *********************************************************************************
> 
> Which username are they talking about here.. it would be prohibitive if this was the logon name as you would need certificates for every person that logs on.
> 
> The third step is where you enter the server name for the certificate.
> Im finding it hard to find documentation on this part of radius. Any help is greatly appreciated.
> 
> Regards
> 
> Corey
> ---Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Tuesday, 9 February 2010 12:49 PM
> To: Corey Gray
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] No Shared Cipher
> 
> 
> Hello Corey -
> 
> Have you installed all of the EAP prerequisites? And have you installed the correct certificate(s) on the client(s)?
> 
> And have you checked that the shared secrets are correct?
> 
> regards
> 
> Hugh
> 
> 
> On 9 Feb 2010, at 13:00, Corey Gray wrote:
> 
>> Hi all
>> Im currently getting a No Shared cipher error when trying to connect to my radius server. I have read that it could have been a corrupted directory so I removed the directory and reestablished it. If I can get this bit working then I will have a working radius server. Thanks in advance
>> 
>> 
>> here is a trace
>> 
>> Tue Feb  9 01:54:56 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
>> Tue Feb  9 01:54:56 2010: DEBUG:  Deleting session for corey, 192.168.***.***, 59
>> Tue Feb  9 01:54:56 2010: DEBUG: Handling with Radius::AuthFILE:
>> Tue Feb  9 01:54:56 2010: DEBUG: Handling with EAP: code 2, 1, 84, 21
>> Tue Feb  9 01:54:56 2010: DEBUG: Response type 21
>> Tue Feb  9 01:54:56 2010: DEBUG: EAP TTLS data, 24576, 1, -1
>> Tue Feb  9 01:54:56 2010: DEBUG: EAP TTLS SSL_accept result: -1, 1, 8466
>> Tue Feb  9 01:54:56 2010: ERR: EAP TTLS error: -1, 1, 8466,  5476: 1 - error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>> 
>> Tue Feb  9 01:54:56 2010: DEBUG: EAP result: 1, EAP TTLS error
>> Tue Feb  9 01:54:56 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS error
>> Tue Feb  9 01:54:56 2010: INFO: Access rejected for corey: EAP TTLS error
>> Tue Feb  9 01:54:56 2010: DEBUG: Packet dump:
>> 
>> And here is the config
>> 
>> Foreground
>> LogStdout
>> BindAddress     192.168.***.***
>> LogDir          /var/log/radius
>> DbDir           /etc/radiator
>> # Use a low trace level in production systems. Increase
>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>> Trace           4
>> 
>> # You will probably want to add other Clients to suit your site,
>> # one for each NAS you want to work with
>> <Client DEFAULT>
>>         Secret  ***
>>        DupInterval 0
>> </Client>
>> 
>> <Realm DEFAULT>
>> <AuthBy FILE>
>>        Filename %D/users
>>        EAPType TTLS, MSCHAP-V2
>>        EAPTLS_CAPath /etc/radiator/certificates/private/cakey.pem
>>        EAPTLS_CertificateFile /etc/radiator/certificates/RadiatorCert.pem
>>        EAPTLS_CertificateType PEM
>>        EAPTLS_MaxFragmentSize 1000
>>        EAPTTLS_NoAckRequired
>> </AuthBy>
>> # Log accounting to a detail file
>> AcctLogFileName %L/detail
>> #<AuthBy KRB5>
>> #               KrbRealm = TSA
>> #       </AuthBy>
>> #</Realm>
>> 
>> 
>> 
>> 
>> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4849 (20100208) __________
>> 
>> The message was checked by ESET NOD32 Antivirus.
>> 
>> http://www.eset.com
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 
> 
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4849 (20100208) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4849 (20100208) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list