[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed
Heikki Vatiainen
hvn at open.com.au
Wed Dec 14 07:36:21 CST 2011
On 12/14/2011 11:52 AM, Röver, Christian wrote:
> thank you for your fast reply. I commented out the two lines you suggested.
> There is no difference to see in the logs.
> The stream server always gets disconnected when receiving a request..
Are the certificates still valid? You could do something like this to
check the Validity:
openssl x509 -noout -text -in cert-srv.pem
If the certificates seem to be ok, please reply with your full
configuration file (no secrets or passwords needed) and Trace 4 log file
that shows everything from Radiator startup to these error messages.
Thanks!
> Wed Dec 14 09:57:44 2011: DEBUG: Creating StreamServer tcp port
> 127.0.0.1:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Stream attempting tcp connection to
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Stream connected to xyz1.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS sessionInit for xyz1.toplevel.de
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS Client Started for
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Stream attempting tcp connection to
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Stream connected to xyz2.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS sessionInit for xyz2.toplevel.de
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS Client Started for
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> Wed Dec 14 09:57:45 2011: DEBUG: Reading dictionary file
> 'C:/radius/radiator/dictionary'
> Wed Dec 14 09:57:45 2011: DEBUG: Reading dictionary file
> 'C:/radius/radiator/dictionary.cisco'
> Wed Dec 14 09:57:45 2011: DEBUG: Creating authentication port 0.0.0.0:1645
> Wed Dec 14 09:57:45 2011: DEBUG: Creating authentication port 0.0.0.0:1812
> Wed Dec 14 09:57:45 2011: NOTICE: Server started: Radiator 4.9 on roaming
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Wed Dec 14 09:57:45 2011: ERR: StreamTLS client error: -1, 1, 4401, 1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> Wed Dec 14 09:57:45 2011: DEBUG: Stream disconnected from
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Wed Dec 14 09:57:45 2011: ERR: StreamTLS client error: -1, 1, 4401, 1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> Wed Dec 14 09:57:45 2011: DEBUG: Stream disconnected from
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:46 2011: DEBUG: Stream attempting tcp connection to
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: Stream connected to xyz2.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS sessionInit for xyz2.toplevel.de
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS Client Started for
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: Stream attempting tcp connection to
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: Stream connected to xyz1.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS sessionInit for xyz1.toplevel.de
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS Client Started for
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4400
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4400
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Wed Dec 14 09:57:47 2011: ERR: StreamTLS client error: -1, 1, 4401, 1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> Wed Dec 14 09:57:47 2011: DEBUG: Stream disconnected from
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Wed Dec 14 09:57:47 2011: ERR: StreamTLS client error: -1, 1, 4401, 1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> Wed Dec 14 09:57:47 2011: DEBUG: Stream disconnected from
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream attempting tcp connection to
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream connected to xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS sessionInit for xyz1.toplevel.de
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS Client Started for
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream attempting tcp connection to
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream connected to xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS sessionInit for xyz2.toplevel.de
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS Client Started for
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Wed Dec 14 09:57:48 2011: ERR: StreamTLS client error: -1, 1, 4401, 1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> Wed Dec 14 09:57:48 2011: DEBUG: Stream disconnected from
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4400
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4400
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Wed Dec 14 09:57:48 2011: ERR: StreamTLS client error: -1, 1, 4401, 1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> Wed Dec 14 09:57:48 2011: DEBUG: Stream disconnected from
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Packet dump:
> *** Received from x.x.x.222 port 1645 ....
> Code: Access-Request
> Identifier: 185
> Authentic: E<134><25>DgO<182><201>1<247><149><244><174><166>.<209>
> Attributes:
> User-Name = " username at otherinstitution.de"
> Framed-MTU = 1400
> Called-Station-Id = "001e.4a8f.5290"
> Calling-Station-Id = "3cd0.f80a.c5db"
> Service-Type = Login
> Message-Authenticator =
> <243><254><249><158><160><208>E<182>u<1><240>Q$<184><186><26>
> EAP-Message = <2><1><0><24><1>username at otherinstitution.de
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 61565
> NAS-Port-Id = "61565"
> NAS-IP-Address = x.x.x.222
> NAS-Identifier = "apx.x.x.222"
>
> Wed Dec 14 09:57:48 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
> Wed Dec 14 09:57:48 2011: DEBUG: Deleting session for
> username at otherinstitution.de, x.x.x.222, 61565
> Wed Dec 14 09:57:48 2011: DEBUG: Handling with Radius::AuthRADSEC
> Wed Dec 14 09:57:48 2011: DEBUG: Stream attempting tcp connection to
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream connected to xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS sessionInit for xyz1.toplevel.de
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS Client Started for
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Packet dump:
> *** Sending request to RadSec xyz1.toplevel.de:2083 ....
> Code: Access-Request
> Identifier: 1
> Authentic: E<134><25>DgO<182><201>1<247><149><244><174><166>.<209>
> Attributes:
> User-Name = " username at otherinstitution.de"
> Framed-MTU = 1400
> Called-Station-Id = "001e.4a8f.5290"
> Calling-Station-Id = "3cd0.f80a.c5db"
> Service-Type = Login
> Message-Authenticator =
> <243><254><249><158><160><208>E<182>u<1><240>Q$<184><186><26>
> EAP-Message = <2><1><0><24><1>username at otherinstitution.de
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 61565
> NAS-Port-Id = "61565"
> NAS-IP-Address = x.x.x.222
> NAS-Identifier = "apx.x.x.222"
> Proxy-State = OSC-Extended-Id=1
>
> Wed Dec 14 09:57:48 2011: DEBUG: AuthBy RADSEC result: IGNORE,
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4400
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4400
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Wed Dec 14 09:57:48 2011: ERR: StreamTLS client error: -1, 1, 4401, 1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> Wed Dec 14 09:57:48 2011: DEBUG: Stream disconnected from
> xyz1.toplevel.de:2083
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list