[RADIATOR] Issue with EAP Authentication

Chris Phillips Chris.Phillips at canarie.ca
Tue Jul 28 18:27:14 UTC 2020


A quick google on the error gave me:

 

https://forums.openvpn.net/viewtopic.php?t=23979

 

and this stood out to me: 

 

I had this problem with the OpenVPN for Android app. See the explanation in the following link.
http://ics-openvpn.blinkt.de/FAQ.html

I circumvented/fixed the problem by editing the openssl-1.0.0.cnf file in my easy-rsa directory and changing "default_md" from md5 to sha256 and then regenerating my certificates.

 

Seems like a path to take a look at.

I haven’t encountered the issue personally but would look at your certificate creation process to see if you can bump to SHA256 and regenerate the cert.

 

C.

 

 

 

From: radiator <radiator-bounces at lists.open.com.au> on behalf of Brandon Shiers <brandon.shiers at cerento.com>
Date: Tuesday, July 28, 2020 at 1:00 PM
To: "radiator at lists.open.com.au" <radiator at lists.open.com.au>
Subject: [RADIATOR] Issue with EAP Authentication

 

We are working on migrating an EAPTLS setup from Radiator 3.13 up to Radiator 4.19.  I’ve moved the relevant certificates and configuration and when I try to have my endpoint device authenticate I’m getting the same error: 

 

Tue Jul 28 10:53:17 2020: ERR: TLS could not use_certificate_file /etc/radiator/cert/certificates/radius.pem, 1:  2956: 1 - error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

 

The key is signed with 2048-bits and RSA encryption, md5.  I’m using the AuthbyFreeRadius handler for this.  

 

I sent a message yesterday but I wasn’t getting any replies, so I’m not sure if it was blocked due to spam or not.  I’m not sure where I need to go.  I don’t really want to regenerate new certificates but if that’s my only option I will.  I did set EAPTLS_SecurityLevel to 1 and that didn’t help.  

 

 Brandon Shiers, RF Engineer
 937 West Main Street
Riverton, WY 82501
 307.857.6704 (o)
307.840.2366 (c)
307.856.1499 (f)
BrandonS at wyoming.com
 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200728/1e5b9d12/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4340 bytes
Desc: not available
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200728/1e5b9d12/attachment-0001.p7s>


More information about the radiator mailing list