[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed

Röver, Christian christian.roever at hfk-bremen.de
Wed Dec 14 09:21:37 CST 2011 

The posted logfile is the full trace 4 logging and the config I posted
before is he complete config (I only cut the descriptions and the lines that
were commented out).
The certificates are all valid and have been verified by the toplevel-ca.
Maybe it is useful to know, that we have our own CA.
Our CA is the lowest in a row of three CA's. The CA-files are all stored in
the CAPath-folder together with our own CA's chain file.

The error message tells about problems with the verification of a
certificate. Is there any need to use the CA-files directly instead of the
CAPath?
Another question is: we use eaptls for the communication with our ldap
server (this works!), but we have to use TLS for radsec with the toplevel
server. Might there be a problem?

Thank you in advance!

Christian


On 12/14/2011 11:52 AM, Röver, Christian wrote:

> thank you for your fast reply. I commented out the two lines you
suggested.
> There is no difference to see in the logs. 
> The stream server always gets disconnected when receiving a request..

Are the certificates still valid? You could do something like this to check
the Validity:

openssl x509 -noout -text -in cert-srv.pem

If the certificates seem to be ok, please reply with your full configuration
file (no secrets or passwords needed) and Trace 4 log file that shows
everything from Radiator startup to these error messages.

Thanks!


> Wed Dec 14 09:57:44 2011: DEBUG: Creating StreamServer tcp port
> 127.0.0.1:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Stream attempting tcp connection to
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Stream connected to 
> xyz1.toplevel.de:2083 Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS 
> sessionInit for xyz1.toplevel.de Wed Dec 14 09:57:45 2011: DEBUG: 
> StreamTLS SSL_connect result: -1, 2, 4384 Wed Dec 14 09:57:45 2011: 
> DEBUG: StreamTLS Client Started for
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Stream attempting tcp connection to
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Stream connected to 
> xyz2.toplevel.de:2083 Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS 
> sessionInit for xyz2.toplevel.de Wed Dec 14 09:57:45 2011: DEBUG: 
> StreamTLS SSL_connect result: -1, 2, 4384 Wed Dec 14 09:57:45 2011: 
> DEBUG: StreamTLS Client Started for
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: Finished reading configuration file 
> 'C:\Program Files\Radiator\radius.cfg'
> Wed Dec 14 09:57:45 2011: DEBUG: Reading dictionary file 
> 'C:/radius/radiator/dictionary'
> Wed Dec 14 09:57:45 2011: DEBUG: Reading dictionary file 
> 'C:/radius/radiator/dictionary.cisco'
> Wed Dec 14 09:57:45 2011: DEBUG: Creating authentication port 
> 0.0.0.0:1645 Wed Dec 14 09:57:45 2011: DEBUG: Creating authentication 
> port 0.0.0.0:1812 Wed Dec 14 09:57:45 2011: NOTICE: Server started: 
> Radiator 4.9 on roaming Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS 
> SSL_connect result: -1, 1, 4401 Wed Dec 14 09:57:45 2011: ERR: 
> StreamTLS client error: -1, 1, 4401,  1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed
> 
> Wed Dec 14 09:57:45 2011: DEBUG: Stream disconnected from
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:45 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 
> 4401 Wed Dec 14 09:57:45 2011: ERR: StreamTLS client error: -1, 1, 
> 4401,  1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed
> 
> Wed Dec 14 09:57:45 2011: DEBUG: Stream disconnected from
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:46 2011: DEBUG: Stream attempting tcp connection to
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: Stream connected to 
> xyz2.toplevel.de:2083 Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS 
> sessionInit for xyz2.toplevel.de Wed Dec 14 09:57:47 2011: DEBUG: 
> StreamTLS SSL_connect result: -1, 2, 4384 Wed Dec 14 09:57:47 2011: 
> DEBUG: StreamTLS Client Started for
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: Stream attempting tcp connection to
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: Stream connected to 
> xyz1.toplevel.de:2083 Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS 
> sessionInit for xyz1.toplevel.de Wed Dec 14 09:57:47 2011: DEBUG: 
> StreamTLS SSL_connect result: -1, 2, 4384 Wed Dec 14 09:57:47 2011: 
> DEBUG: StreamTLS Client Started for
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 
> 4400 Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: 
> -1, 2, 4400 Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect 
> result: -1, 1, 4401 Wed Dec 14 09:57:47 2011: ERR: StreamTLS client 
> error: -1, 1, 4401,  1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed
> 
> Wed Dec 14 09:57:47 2011: DEBUG: Stream disconnected from
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:47 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 
> 4401 Wed Dec 14 09:57:47 2011: ERR: StreamTLS client error: -1, 1, 
> 4401,  1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed
> 
> Wed Dec 14 09:57:47 2011: DEBUG: Stream disconnected from
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream attempting tcp connection to
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream connected to 
> xyz1.toplevel.de:2083 Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS 
> sessionInit for xyz1.toplevel.de Wed Dec 14 09:57:48 2011: DEBUG: 
> StreamTLS SSL_connect result: -1, 2, 4384 Wed Dec 14 09:57:48 2011: 
> DEBUG: StreamTLS Client Started for
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream attempting tcp connection to
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream connected to 
> xyz2.toplevel.de:2083 Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS 
> sessionInit for xyz2.toplevel.de Wed Dec 14 09:57:48 2011: DEBUG: 
> StreamTLS SSL_connect result: -1, 2, 4384 Wed Dec 14 09:57:48 2011: 
> DEBUG: StreamTLS Client Started for
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 
> 4401 Wed Dec 14 09:57:48 2011: ERR: StreamTLS client error: -1, 1, 
> 4401,  1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed
> 
> Wed Dec 14 09:57:48 2011: DEBUG: Stream disconnected from
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 
> 4400 Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: 
> -1, 2, 4400 Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect 
> result: -1, 1, 4401 Wed Dec 14 09:57:48 2011: ERR: StreamTLS client 
> error: -1, 1, 4401,  1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed
> 
> Wed Dec 14 09:57:48 2011: DEBUG: Stream disconnected from
> xyz2.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Packet dump:
> *** Received from x.x.x.222 port 1645 ....
> Code:       Access-Request
> Identifier: 185
> Authentic:  E<134><25>DgO<182><201>1<247><149><244><174><166>.<209>
> Attributes:
> 	User-Name = " username at otherinstitution.de"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "001e.4a8f.5290"
> 	Calling-Station-Id = "3cd0.f80a.c5db"
> 	Service-Type = Login
> 	Message-Authenticator =
> <243><254><249><158><160><208>E<182>u<1><240>Q$<184><186><26>
> 	EAP-Message = <2><1><0><24><1>username at otherinstitution.de
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 61565
> 	NAS-Port-Id = "61565"
> 	NAS-IP-Address = x.x.x.222
> 	NAS-Identifier = "apx.x.x.222"
> 
> Wed Dec 14 09:57:48 2011: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT', Identifier ''
> Wed Dec 14 09:57:48 2011: DEBUG:  Deleting session for 
> username at otherinstitution.de, x.x.x.222, 61565 Wed Dec 14 09:57:48 
> 2011: DEBUG: Handling with Radius::AuthRADSEC Wed Dec 14 09:57:48 
> 2011: DEBUG: Stream attempting tcp connection to
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Stream connected to 
> xyz1.toplevel.de:2083 Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS 
> sessionInit for xyz1.toplevel.de Wed Dec 14 09:57:48 2011: DEBUG: 
> StreamTLS SSL_connect result: -1, 2, 4384 Wed Dec 14 09:57:48 2011: 
> DEBUG: StreamTLS Client Started for
> xyz1.toplevel.de:2083
> Wed Dec 14 09:57:48 2011: DEBUG: Packet dump:
> *** Sending request to RadSec xyz1.toplevel.de:2083 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:  E<134><25>DgO<182><201>1<247><149><244><174><166>.<209>
> Attributes:
> 	User-Name = " username at otherinstitution.de"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "001e.4a8f.5290"
> 	Calling-Station-Id = "3cd0.f80a.c5db"
> 	Service-Type = Login
> 	Message-Authenticator =
> <243><254><249><158><160><208>E<182>u<1><240>Q$<184><186><26>
> 	EAP-Message = <2><1><0><24><1>username at otherinstitution.de
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 61565
> 	NAS-Port-Id = "61565"
> 	NAS-IP-Address = x.x.x.222
> 	NAS-Identifier = "apx.x.x.222"
> 	Proxy-State = OSC-Extended-Id=1
> 
> Wed Dec 14 09:57:48 2011: DEBUG: AuthBy RADSEC result: IGNORE, Wed Dec 
> 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4400 Wed 
> Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 2, 4400 
> Wed Dec 14 09:57:48 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 
> 4401 Wed Dec 14 09:57:48 2011: ERR: StreamTLS client error: -1, 1, 
> 4401,  1768: 1
> - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed
> 
> Wed Dec 14 09:57:48 2011: DEBUG: Stream disconnected from
> xyz1.toplevel.de:2083
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5860 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20111214/e8e1b26a/attachment.bin

More information about the radiator mailing list