[RADIATOR] EAP TLS issues "routines:SSL3_READ_BYTES:tlsv1 alert access denied"
Jeffrey Smith
doc at neonova.net
Wed Feb 19 15:02:51 CST 2014
Heikki,
Thanks for the links. I did come across that in my Googling. My
certificate reports:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
It doesn't mention the OID specifically just the text as given. The cert
is from RapidSSL as an aside. Other clients treat this differently as
well. An android device will successfully auth according to the debug logs
but never connects to the AP as it seems to timeout. And a Mac OSX device
just authenticates successfully over and over and over again, per the debug
logs, without connecting. Its really bothersome that all the devices
aren't behaving the same way, since I have the feeling if I can find a way
to fix it for one the others will continue to fail.
Given that, I'm at a loss on how to continue to debug this issue. Do you
have any other suggestions or can I provide any more logs?
Alan,
To make sure I'm on the same page with you, I'm guessing by "supplicant"
you mean the wireless client (in this case a Windows 7 laptop)? There's no
configuration that pops up immediately on that one. I tell it to connect
to the network and it pops up a username / password dialog no other options
to set.
I'm under the impression that no certs need to be installed on clients for
this to function correctly, is that the case?
Thanks,
Jeff Smith
Network Engineer
Neonova Network Services
(919) 460-3330
doc at neonova.net
On Wed, Feb 19, 2014 at 3:32 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
On 02/19/2014 10:08 PM, Jeffrey Smith wrote:
> Wed Feb 19 10:59:58 2014: ERR: EAP PEAP TLS read failed: 13601: 1 -
> error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
Here's one more possibility from the list archives:
http://www.open.com.au/pipermail/radiator/2004-August/009982.html
I agree with Alan that the AP client probably does not care but the
other client does.
In addition to what has already been suggested, I'd check the Radiator
certificate to see the Extended Key Usage (EKU) is there.
http://support.microsoft.com/kb/814394
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140219/dc8f95d9/attachment.html
More information about the radiator
mailing list