[RADIATOR] EAP-TLS question

Markus Moeller huaraz at moeller.plus.com
Thu Dec 1 18:33:35 CST 2011


I am asking because I don't get an Authlog entry (neither success nor fail) 
and have to search the detailed logfile to see why the client could not 
connect.

It would be useful to get an Authlog entry of a failure too.

Markus


----- Original Message ----- 
From: "Heikki Vatiainen" <hvn at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Thursday, December 01, 2011 10:24 PM
Subject: Re: [RADIATOR] EAP-TLS question


> On 12/01/2011 10:23 PM, Markus Moeller wrote:
>
> Hello Markus,
>
>>   I have a setup using EAP TLS with CRL check and I get sometimes
>> correctly an expired certificate presented.  But why does Radiator
>> continue with ab Access Challenge instead of a Reject ?
>
> There's this comment in EAP-TLS code:
>
>  # Certificate verification failed, keep going
>  # so we tell the client what the problem was
>
> and then it logs "EAP TLS certificate verification failed: ..." message.
>
> Does it still let you authenticate? I did not quite understand if you
> were wondering why it challenges or if it also let you authenticate
> successfully.
>
> Thanks!
> Heikki
>
>
>> Wed Nov 30 18:20:11 2011: DEBUG: Handling request with Handler
>> AuthType="radius"'
>> Wed Nov 30 18:20:11 2011: DEBUG:  Deleting session for xxx, 10.10.10.10, 
>> 13
>> Wed Nov 30 18:20:11 2011: DEBUG: Handling with Radius::AuthFILE: EapTLS
>> Wed Nov 30 18:20:11 2011: DEBUG: Handling with EAP: code 2, 8, 689, 13
>> Wed Nov 30 18:20:11 2011: DEBUG: Response type 13
>> Wed Nov 30 18:20:11 2011: INFO: EAP TLS certificate verification failed:
>> certificate has expired,  23809: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>> Wed Nov 30 18:20:11 2011: DEBUG: EAP result: 3, EAP TLS Challenge
>> Wed Nov 30 18:20:11 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
>> Challenge
>> Wed Nov 30 18:20:11 2011: DEBUG: Access challenged for xxx: EAP TLS
>> Challenge
>> Wed Nov 30 18:20:11 2011: DEBUG: Packet dump:
>> *** Sending to 10.1.1.1 port 32769 ....
>> Code:       Access-Challenge
>> Identifier: 56
>> Authentic:  (<183><181><167><240><188>2<186><243>d<247>d<248><12><151>+
>> Attributes:
>>         EAP-Message = 
>> <1><9><0><17><13><128><0><0><0><7><21><3><1><0><2><2>-
>>         Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>
>> Thank you
>> markus
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> -- 
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
> 




More information about the radiator mailing list