Re: EAP-TLS Certificate problems.

Brian vb wrote:

the radius systems log. I have created 3 certificates, Root, Client, Server.
The Root and Client certificates were installed via the MMC snapin and
Import wizard in XP.  Any idea on what could be causing the errors? If I


On the server, the certificates are in *files* yes?

 tls: private_key_file = "C:/Docume~1/radius/rcerts/cert-srv.pem"
 tls: certificate_file = "C:/Docume~1/radius/rcerts/cert-srv.pem"
 tls: CA_file = "C:/Docume~1/radius/rcerts/root.pem"
 tls: private_key_password = "SuperSecretCode"

They're there and valid?


Sending Access-Challenge of id 50 to 10.1.1.189 port 1039
        EAP-Message = 0x0104000a0d8000000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd2f07585b4ad88459f3f0f28a7fa6fb2
Finished request 2
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 48 with timestamp 45283c27
Cleaning up request 1 ID 49 with timestamp 45283c27
Cleaning up request 2 ID 50 with timestamp 45283c27
Nothing to do.  Sleeping until we see a request.
This looks like the server certificate doesn't have the magic oids - the XP client stops halfway through. Search the archives for "magic oids" 





Error 1 is seen if I have Validate Server Certificate check on the XP
Laptop.

--Error 1--
Sat Oct  7 19:35:58 2006 : Error:     TLS_accept:error in SSLv3 read client
certificate A
------







Error 2 is seen if Validate is unchecked on the laptop

--Error 2--
Sat Oct  7 19:34:35 2006 : Error:     TLS_accept:error in SSLv3 read client
certificate A Sat Oct 7 19:34:35 2006 : Error: --> verify error:num=20:unable to get local issuer certificate Sat Oct 7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Oct 7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a system 
call (-1), TLS session fails.
Sat Oct  7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/<no
User-Password attribute>] (from client netnas port 11 cli 0014a5104864)
-----
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Since you've obviously performed some kind of surgery on the debug logs here, it's difficult to determine precisely what the context for these two errors are. What is the single, full, unaltered debug output for the failure case you're actually trying to solve?
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.