[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed
Heikki Vatiainen
hvn at open.com.au
Tue Dec 13 08:55:18 CST 2011
On 12/13/2011 03:07 PM, Röver, Christian wrote:
Hello Christian,
> while trying to configure Radiator to work with the radsec protocol, I
> get the following error:
Can you reply with more debug messages. There should be more in the log
about what was the check that failed.
> *Tue Dec 13 13:22:17 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401*
> *Tue Dec 13 13:22:17 2011: ERR: StreamTLS client error: -1, 1, 4401,
> 2400: 1 *
> *- error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed*
>
> Does anyone have an idea which components I might have to check or where
> to find the mistake in my config?
You could try commenting out the checks:
TLS_ExpectedPeerName CN=.*\.toplevel\.de
TLS_SubjectAltNameURI .*toplevel.de
and then see if it works. If it works, add one check first, watch the
logs, and then when the first check works add the other while keeping
eye on the log.
Thanks!
Heikki
> (System: Win 2008r2 x64, newest perl, openssl and net-ssleay)
>
>
>
> *_Radius.cfg:_*
>
>
>
> AuthPort 1645,1812
>
> AcctPort
>
>
>
> Foreground
>
> LogStdout
>
> LogDir .
>
> DbDir .
>
> Trace 4
>
>
>
> DictionaryFile
> C:/radius/radiator/dictionary,C:/radius/radiator/dictionary.cisco
>
>
>
> #Accesspoints#
>
> <Client x.x.x.0/24>
>
> Secret specialsecret
>
> </Client>
>
>
>
> #DC#
>
> <Client x.x.x.x>
>
> Secret oursecret
>
> IgnoreAcctSignature
>
> </Client>
>
>
>
>
>
> <ServerRADSEC>
>
> BindAddress 127.0.0.1
>
> Port 2083
>
> Secret oursecret
>
> UseTLS 1
>
> TLS_CAPath C:/radius/certificates/ca
>
> TLS_CertificateFile
> C:/radius/certificates/server.institution.de.pem
>
> TLS_CertificateType PEM
>
> TLS_PrivateKeyFile
> C:/radius/certificates/server.institution.de.key
>
> TLS_PrivateKeyPassword servercertpassword
>
> TLS_ExpectedPeerName CN=.*\.toplevel\.de
>
> TLS_SubjectAltNameURI .*toplevel.de
>
> </ServerRADSEC>
>
>
>
>
>
> <Realm ourinstitution.de>
>
> <AuthBy RADIUS>
>
> Host x.x.x.x
>
> Secret oursecret
>
> AuthPort 1812
>
>
>
> EAPType TLS,PEAP,MSCHAP-V2
>
>
> EAPTLS_CAPath C:/radius/certificates/ca
>
> EAPTLS_CertificateFile
> C:/radius/certificates/server.institution.de.pem
>
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile
> C:/radius/server.institution.de.key
>
> EAPTLS_PrivateKeyPassword servercertpassword
>
> EAPTLS_MaxFragmentSize 1000
>
> AutoMPPEKeys
>
> SSLeayTrace 1
>
> </AuthBy>
>
> </Realm>
>
>
>
> <Realm DEFAULT>
>
> <AuthBy RADSEC>
>
> Host xyz1.toplevel.de
>
> Host xyz2.toplevel.de
>
> Port 2083
>
> UseTLS 1
>
> Secret oursecret
>
> ReconnectTimeout 1
>
> NoreplyTimeout 5
>
>
>
> TLS_CAPath
> C:/radius/certificates/ca
>
> TLS_CertificateFile
> C:/radius/certificates/server.institution.de.pem
>
> TLS_CertificateType PEM
>
> TLS_PrivateKeyFile
> C:/radius/certificates/server.institution.de.key
>
> TLS_PrivateKeyPassword
> servercertpassword
>
> #TLS_ExpectedPeerName CN=.*\.toplevel\.de
>
> #SSLeayTrace 1
>
> </AuthBy>
>
> </Realm>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list