eap_peap: fatal access_denied error

Wegener, Norbert norbert.wegener at atos.net
Thu Mar 9 13:16:04 CET 2017


What has  happened before, as the session was rejected?

(9) eap_peap:   The users session was previously rejected: returning reject 
(again.)
(9) eap_peap:   This means you need to read the PREVIOUS messages in the debug 
output
(9) eap_peap:   to find out the reason why the user was rejected
(9) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell 
you

Norbert Wegener

-----Original Message-----
From: Freeradius-Users 
[mailto:freeradius-users-bounces+norbert.wegener=atos.net at lists.freeradius.org] 
On Behalf Of mustafa mujahid
Sent: Thursday, March 09, 2017 12:50 PM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error

I've been trying again. but keep coming back to this.


(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x930263939b087afc
(9) eap: Finished EAP session with state 0x930263939b087afc
(9) eap: Previous EAP request found for state 0x930263939b087afc, released 
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv failure
(9) eap_peap: Received EAP-TLV response
(9) eap_peap:   The users session was previously rejected: returning reject 
(again.)
(9) eap_peap:   This means you need to read the PREVIOUS messages in the debug 
output
(9) eap_peap:   to find out the reason why the user was rejected
(9) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell 
you
(9) eap_peap:   what went wrong, and how to fix the problem
(9) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module 
failed
(9) eap: Sending EAP Failure (code 4) ID 10 length 4
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid



Any help on this would be much appreciated.


BR/Mustafa.


________________________________
From: Freeradius-Users 
<freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on 
behalf of mustafa mujahid <mustafa.mujahid at outlook.com>
Sent: Thursday, March 9, 2017 1:53 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error


PFA.

________________________________
From: Freeradius-Users 
<freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on 
behalf of mustafa mujahid <mustafa.mujahid at outlook.com>
Sent: Thursday, March 9, 2017 12:53 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error

Hi ,  So I re-created the certificates in the certs directory. I'm no longer 
getting the 'fatal access denied' error. but this time I got this after a 
along 11 page debug ouput:


WARNING: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state ...... did not finish!
WARNING: !! Please read 
http://wiki.freeradius.org/guide/Certificate_Compatibility
Certificate Compatibility - 
FreeRADIUS<http://wiki.freeradius.org/guide/Certificate_Compatibility>
wiki.freeradius.org
The certificates created using the scripts in the raddb/certs directory 
(https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs) are 
known to be ...



Certificate Compatibility - 
FreeRADIUS<http://wiki.freeradius.org/guide/Certificate_Compatibility>
Certificate Compatibility - 
FreeRADIUS<http://wiki.freeradius.org/guide/Certificate_Compatibility>
wiki.freeradius.org
The certificates created using the scripts in the raddb/certs directory 
(https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs) are 
known to be ...



wiki.freeradius.org
The certificates created using the scripts in the raddb/certs directory 
(https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs) are 
known to be ...
[https://avatars3.githubusercontent.com/u/2430370?v=3&s=400]<https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs>

FreeRADIUS/freeradius-server<https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs>
github.com
freeradius-server - The FreeRADIUS Server. RADIUS, DHCP, and VMPS.






WARNING: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



I researched the link provided and seems that the client certificate requires 
the OID mentioned in xpextension file to be present in it. But what I don't 
understand is how can I incorporate this OID into the certificate. I created 
the certificates using the 'bootstrap' script in the certs directory


Should I manually run the commands present in the README file or should the 
make command automatically generate the certs and include the OID or would I 
have to do it.

   Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 CRL Distribution Points:

Right the above is a part of the client.crt file . Please guide me in this 
regard and excuse any lapse in understanding that I may have. By the way I 
attached a screen shot of the prompt I received on client machine when first 
authenticated.


BR/Mustafa


________________________________
From: Freeradius-Users 
<freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on 
behalf of Alan DeKok <aland at deployingradius.com>
Sent: Wednesday, March 8, 2017 10:05 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error

On Mar 8, 2017, at 12:53 PM, mustafa mujahid <mustafa.mujahid at outlook.com> 
wrote:
>
> Hello all, I've been trying to authentication LAN on Cisco 2960 Switch. I've 
> done configurations with PAP but this is the first time working with EAP. I 
> have run into a bit of an issue. I receive a 'fatal :access denied error' in 
> the debug log while testing with a single client.  Radius version is 3.0.12

  Using google, the first link is:

https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems
GTACKnowledge - Clients cannot authenticate to NAC because 
...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access 
denied errors or missing FQDN name in certificate



GTACKnowledge - Clients cannot authenticate to NAC because 
...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
GTACKnowledge - Clients cannot authenticate to NAC because 
...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access 
denied errors or missing FQDN name in certificate



gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access 
denied errors or missing FQDN name in certificate



GTACKnowledge - Clients cannot authenticate to NAC because 
...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access 
denied errors or missing FQDN name in certificate




  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS -- users' list info<http://www.freeradius.org/list/users.html>
www.freeradius.org<http://www.freeradius.org>
Users' List Information. The freeradius-users mailing list is for users of the 
FreeRADIUS server not Cistron's server! There are a few house-rules to which 
we'd like ...


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170309/04815fd0/attachment-0001.bin>


More information about the Freeradius-Users mailing list