[RADIATOR] Limits on EAPTLS_PrivateKeyPassword

Heikki Vatiainen hvn at open.com.au
Fri Jun 13 08:54:24 CDT 2014

On 06/12/2014 07:36 PM, Michael Hulko wrote:

> We have just renewed our certificates on our servers, and windows
> clients are unable to authenticate.

I would check the CA certificate and the certificate chain first. If,
for example, Radiator is not returning the correct CA chain, you can get
errors from the clients.

> Without having to select “Validate server certificate” in a wireless
> profile, Windows usually presents a security box informing you that the
> certificate may no be trusted and /  or is not bound as the root anchor.
>  From there you can continue and access is granted.
> However, since implementing our new certificates, 
> Windows7 is not presenting any warnings, the radiator log files continue
> with challenges and requests continually.  
> Windows8 just rejects the authentication outright:  Thu Jun 12 11:05:43
> 2014: ERR: EAP PEAP TLS read failed:  19984: 1 - error:14094419:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert access denied

I think I have seen this error when the Windows client does not accept
the CA certificates the server sends.

> If I take our original certificate that DOES work with Windows7 / 8, and
> I remove the PrivateKeyPassword or change it, I get the same behaviour
> on both OS’s.

If the private key password is not correct, assuming it is required (see
below), Radiator can not load the private key corresponding to the
certificate the EAP method requires.

In this case you should see an error in Radiator log file. This should
happen as soon as the first EAP request is received by Radiator. If the
private key can not be loaded, the EAP authentication will fail.

> So.. two things are likely the culprit,  either the private key provided
> to create the cert is wrong… or Radiator limits what characters can be
> used for the private key.

I think you should see from the logs if the private key is wrong or not.
The PrivateKeyPassword key is needed to decrypt the private key if it is
stored in encrypted form in the file system. If PrivateKeyPassword is
required (the private key is encrypted) but you have configured a wrong
value for it, then decrypting the private key will fail and there's no
good key to use with the certificate.

When this happens, the EAP method that needs the certificate will not work.

> Any assistance would be grateful

Do this:
1. Check for any errors in Radiator configuration related to loading the
private key
2. If the key loads, check that the EAPTLS_CAFile and the other
certificate parameters have valid CAs and the certificate chain is correct.


Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list