[RADIATOR] EAP TLS issues "routines:SSL3_READ_BYTES:tlsv1 alert access denied"

Sami Keski-Kasari samikk at open.com.au
Wed Feb 19 15:14:09 CST 2014


Hello Jeff,

I think that Android and MACOSX problems will be solved if you add
configuration parameter  AutoMPPEKeys to outer handler.

It is needed so that encryption keys to WLAN connection can be calculated.

In windows case:
Because client is sending that alert message it is hard to say exact
reason without seeing your client configuration.

Do you have your CA certificate installed in your windows machine?
You probably need to go to the wireless settings and check what CA
certificates are accepted for your connection.

Best Regards,
 Sami


On 02/19/2014 11:02 PM, Jeffrey Smith wrote:
> Heikki,
>   Thanks for the links.  I did come across that in my Googling.  My
> certificate reports:
> 
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client Authentication
> 
> It doesn't mention the OID specifically just the text as given.  The cert
> is from RapidSSL as an aside.  Other clients treat this differently as
> well.  An android device will successfully auth according to the debug logs
> but never connects to the AP as it seems to timeout. And a Mac OSX device
> just authenticates successfully over and over and over again, per the debug
> logs, without connecting.  Its really bothersome that all the devices
> aren't behaving the same way, since I have the feeling if I can find a way
> to fix it for one the others will continue to fail.
> 
> Given that, I'm at a loss on how to continue to debug this issue.  Do you
> have any other suggestions or can I provide any more logs?
> 
> Alan,
>   To make sure I'm on the same page with you, I'm guessing by "supplicant"
> you mean the wireless client (in this case a Windows 7 laptop)? There's no
> configuration that pops up immediately on that one.  I tell it to connect
> to the network and it pops up a username / password dialog no other options
> to set.
> 
> I'm under the impression that no certs need to be installed on clients for
> this to function correctly, is that the case?
> 
> Thanks,
> Jeff Smith
> Network Engineer
> Neonova Network Services
> (919) 460-3330
> doc at neonova.net
> 
> 
> On Wed, Feb 19, 2014 at 3:32 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> 
> On 02/19/2014 10:08 PM, Jeffrey Smith wrote:
> 
>> Wed Feb 19 10:59:58 2014: ERR: EAP PEAP TLS read failed:  13601: 1 -
>> error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
> 
> Here's one more possibility from the list archives:
> http://www.open.com.au/pipermail/radiator/2004-August/009982.html
> 
> I agree with Alan that the AP client probably does not care but the
> other client does.
> 
> In addition to what has already been suggested, I'd check the Radiator
> certificate to see the Extended Key Usage (EKU) is there.
> 
> http://support.microsoft.com/kb/814394
> 
> Thanks,
> Heikki
> 
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list