[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed

Röver, Christian christian.roever at hfk-bremen.de
Tue Dec 13 07:07:14 CST 2011 

Hi,

 

while trying to configure Radiator to work with the radsec protocol, I get
the following error:

 

Tue Dec 13 13:22:17 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401

Tue Dec 13 13:22:17 2011: ERR: StreamTLS client error: -1, 1, 4401,  2400: 1


- error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed

 

Does anyone have an idea which components I might have to check or where to
find the mistake in my config?

 

(System: Win 2008r2 x64, newest perl, openssl and net-ssleay)

 

Radius.cfg:

 

AuthPort             1645,1812

AcctPort

 

Foreground

LogStdout

LogDir                   .

DbDir                    .

Trace                    4

 

DictionaryFile
C:/radius/radiator/dictionary,C:/radius/radiator/dictionary.cisco

 

#Accesspoints#

<Client x.x.x.0/24>

                Secret   specialsecret

</Client>

 

#DC#

<Client x.x.x.x>

                Secret   oursecret

                IgnoreAcctSignature

</Client>

 

 

<ServerRADSEC>

                BindAddress 127.0.0.1

                Port 2083

                Secret oursecret

                UseTLS 1

                TLS_CAPath                       C:/radius/certificates/ca

                TLS_CertificateFile
C:/radius/certificates/server.institution.de.pem

                TLS_CertificateType       PEM

                TLS_PrivateKeyFile
C:/radius/certificates/server.institution.de.key

                TLS_PrivateKeyPassword servercertpassword

                TLS_ExpectedPeerName CN=.*\.toplevel\.de

                TLS_SubjectAltNameURI             .*toplevel.de

</ServerRADSEC>

 

 

<Realm ourinstitution.de>

<AuthBy RADIUS>

                               Host x.x.x.x

                               Secret oursecret

                               AuthPort 1812

       

                               EAPType TLS,PEAP,MSCHAP-V2

                               EAPTLS_CAPath
C:/radius/certificates/ca

                               EAPTLS_CertificateFile
C:/radius/certificates/server.institution.de.pem

                               EAPTLS_CertificateType PEM

                               EAPTLS_PrivateKeyFile
C:/radius/server.institution.de.key

                               EAPTLS_PrivateKeyPassword servercertpassword

                               EAPTLS_MaxFragmentSize 1000

                               AutoMPPEKeys

                               SSLeayTrace 1

                </AuthBy>

</Realm>

 

<Realm DEFAULT>

                <AuthBy RADSEC>

                               Host xyz1.toplevel.de

                               Host xyz2.toplevel.de

                               Port                       2083

                               UseTLS                 1

                               Secret                  oursecret

                               ReconnectTimeout    1

                               NoreplyTimeout      5

 

                               TLS_CAPath
C:/radius/certificates/ca

                               TLS_CertificateFile
C:/radius/certificates/server.institution.de.pem

                               TLS_CertificateType       PEM

                               TLS_PrivateKeyFile
C:/radius/certificates/server.institution.de.key

                               TLS_PrivateKeyPassword
servercertpassword

#TLS_ExpectedPeerName CN=.*\.toplevel\.de

                                #SSLeayTrace 1

                </AuthBy>

</Realm>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111213/20dc5372/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5860 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20111213/20dc5372/attachment-0001.bin

More information about the radiator mailing list