[RADIATOR] Error message

Heikki Vatiainen hvn at open.com.au
Tue Apr 19 03:20:56 CDT 2011


On 04/18/2011 11:46 PM, Johnson, Neil M wrote:
> What does this error message mean ?

The client is rejecting Radiator's certificate.

If you search the mailing lists, there are a couple of suggestions why
this happens.

If this is a Windows client, see this for a likely reason:
http://technet.microsoft.com/en-us/library/cc731363.aspx

When certs are created with OpenSSL, the extension mentioned above is
specified like this:

extendedKeyUsage       = serverAuth

When printing the cert as text with OpenSSL, the extension looks like this:

X509v3 extensions:
 X509v3 Extended Key Usage:
   TLS Web Server Authentication

> Mon Apr 18 11:49:20 2011: DEBUG: Packet dump:
> *** Received from 160.36.188.8 port 60075 ....
> Code:       Access-Request
> Identifier: 8
> Authentic:  <223><19>2<243>Dw<11>D<23><167><17><194><170>}%<242>
> Attributes:
> 	User-Name = "troester at uiowa.edu"
> 	Calling-Station-Id = "00-13-e8-83-83-61"
> 	Called-Station-Id = "00-24-97-f2-a7-70:eduroam"
> 	NAS-Port = 1
> 	NAS-IP-Address = 206.196.182.10
> 	NAS-Identifier = "wlan0-smm"
> 	Airespace-WLAN-Id = 2
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	EAP-Message = <2><9><0>/<25><128><0><0><0>%<21><3><1><0> <30><175>N<205><10><166><154>Z<252><26><208><15>E7<177><145><241><176><141><172><8> <174>n<22><20><11>`\Q5<14>
> 	Message-Authenticator = X<201><233><3><209>M<237><208>I<248><213><14>Cv<198><182>
> 
> Mon Apr 18 11:49:20 2011: DEBUG: Handling request with Handler 'Client-Identifier=eduroam, Realm=/uiowa\.edu$/i ', Identifier ''
> Mon Apr 18 11:49:20 2011: DEBUG: PreProcessing Hook: called.
> Mon Apr 18 11:49:20 2011: DEBUG:  Deleting session for troester at uiowa.edu, 206.196.182.10, 1
> Mon Apr 18 11:49:20 2011: DEBUG: Handling with Radius::AuthFILE: 
> Mon Apr 18 11:49:20 2011: DEBUG: Handling with EAP: code 2, 9, 47, 25
> Mon Apr 18 11:49:20 2011: DEBUG: Response type 25
> Mon Apr 18 11:49:20 2011: ERR: EAP PEAP TLS read failed:  2244: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
> 
> Mon Apr 18 11:49:20 2011: DEBUG: EAP result: 1, EAP PEAP TLS read failed
> Mon Apr 18 11:49:20 2011: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS read failed
> Mon Apr 18 11:49:20 2011: INFO: Access rejected for troester at uiowa.edu: EAP PEAP TLS read failed
> Mon Apr 18 11:49:20 2011: DEBUG: Packet dump:
> *** Sending to 160.36.188.8 port 60075 ....
> Code:       Access-Reject
> Identifier: 8
> Authentic:  <182><255><27>k<254><14><206>A^ca<244>=<5><131>r
> Attributes:
> 	Reply-Message = "Request Denied"
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list