[RADIATOR] EAP-TLS question

Heikki Vatiainen hvn at open.com.au
Thu Dec 1 16:24:59 CST 2011 

On 12/01/2011 10:23 PM, Markus Moeller wrote:

Hello Markus,

>   I have a setup using EAP TLS with CRL check and I get sometimes
> correctly an expired certificate presented.  But why does Radiator
> continue with ab Access Challenge instead of a Reject ? 

There's this comment in EAP-TLS code:

  # Certificate verification failed, keep going
  # so we tell the client what the problem was

and then it logs "EAP TLS certificate verification failed: ..." message.

Does it still let you authenticate? I did not quite understand if you
were wondering why it challenges or if it also let you authenticate
successfully.

Thanks!
Heikki


> Wed Nov 30 18:20:11 2011: DEBUG: Handling request with Handler
> AuthType="radius"'
> Wed Nov 30 18:20:11 2011: DEBUG:  Deleting session for xxx, 10.10.10.10, 13
> Wed Nov 30 18:20:11 2011: DEBUG: Handling with Radius::AuthFILE: EapTLS
> Wed Nov 30 18:20:11 2011: DEBUG: Handling with EAP: code 2, 8, 689, 13
> Wed Nov 30 18:20:11 2011: DEBUG: Response type 13
> Wed Nov 30 18:20:11 2011: INFO: EAP TLS certificate verification failed:
> certificate has expired,  23809: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>  
> Wed Nov 30 18:20:11 2011: DEBUG: EAP result: 3, EAP TLS Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
> Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: Access challenged for xxx: EAP TLS
> Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: Packet dump:
> *** Sending to 10.1.1.1 port 32769 ....
> Code:       Access-Challenge
> Identifier: 56
> Authentic:  (<183><181><167><240><188>2<186><243>d<247>d<248><12><151>+
> Attributes:
>         EAP-Message = <1><9><0><17><13><128><0><0><0><7><21><3><1><0><2><2>-
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  
>  
> Thank you
> markus
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list