John Dennis wrote:
[snip] Did you edit your eap.conf file to point to radius2.pem? Did you set your private_key_password in eap.conf to match $PASSWORD_CA used above? BTW, don't use the same password as in the example ;-)
Did you verify the certs as suggested above?
Saying something doesn't work isn't helpful, the log output would be helpful.
-- John Dennis <jdennis@redhat.com>
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yep did all that. I think I was working on this too long, starting to see double. On the machine where I generate the certificate: openssl verify -CAfile ca.pem lx0008.pem lx0008.pem: OK However if I copy the file over to the other machine: openssl verify -CAfile ca.pem lx0008.pem lx0008.pem: /C=NL/ST=Radius/O=AOg/CN=Radius Certificate/emailAddress=nw@aog.nl error 9 at 0 depth lookup:certificate is not yet valid But I discoverd a time sync issue here. Clocks are 10 min. apart. This was a bit of clue, right. So I checked the client I was testing this on, and it was a day behind. So it could never validate the certificate. So setting up some time synchronisation resolved this. openssl verify -CAfile ca.pem lx0008.pem lx0008.pem: OK Here's the log output of the failed attempt. The eap exchange stops at: Sending Access-Challenge After setting time right it works as expected. Thanks for all help! Rg, Arnaud rad_recv: Access-Request packet from host 10.6.254.189:1024, id=51, length=214 Framed-MTU = 1480 NAS-IP-Address = 10.6.254.189 NAS-Identifier = "ENNR" User-Name = "lsa@aog.nl" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-18-fe-57-b7-60" Calling-Station-Id = "00-d0-59-9d-9a-3c" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "138" State = 0x271f405150fffa1a648249140e571065 EAP-Message = 0x022200061500 Message-Authenticator = 0xd9de91ff01317e671b475cdf3125a11a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "aog.nl" for User-Name = "lsa@aog.nl" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "lsa" rlm_realm: Proxying request from user lsa to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 34 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 Found Autz-Type asa Processing the authorize section of radiusd.conf modcall: entering group asa for request 3 radius_xlat: 'lsa' rlm_sql (asa): sql_set_user escaped user --> 'lsa' radius_xlat: 'SELECT UserID,Usernaam,'SHA-Password' AS Attribute, Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' AND Actief = 1 ORDER BY UserID' rlm_sql (asa): Reserving sql socket id: 1 radius_xlat: '' radius_xlat: 'SELECT UserID,Usernaam,'Reply-Message' AS Attribute, Achternaam, '=' AS Op from bas_user WHERE Usernaam = 'lsa' AND Actief = 1 ORDER BY UserID ' radius_xlat: '' rlm_sql (asa): Released sql socket id: 1 modcall[authorize]: module "asa" returns ok for request 3 rlm_pap: Normalizing SHA-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group asa (returns ok) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 51 to 10.6.254.189 port 1024 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "132" Reply-Message = "Loonstra" EAP-Message = 0x0123040a15c000000969c8049aa1fa621dd38e41b929518a3c23d2fd05e03097c2956b56307195bb23fef70dc1288f83798a26c511427a6226b15e62cbe20135878672c254894d8b5cac9600051c3082051830820400a003020102020900d7489a39739dc2be300d06092a864886f70d01010505003081b8310b3009060355040613024e4c310f300d060355040813065261646975733119301706035504071310416d6172616e746973205261646975733121301f060355040a1318416d6172616e746973204f6e64657277696a7367726f65703129302706092a864886f70d010901161a6e65747765726b62656865657240616d6172616e7469732e EAP-Message = 0x6e6c312f302d06035504031326416d6172616e7469732052616469757320436572746966696361746520417574686f72697479301e170d3038303932323133323131395a170d3138303932303133323131395a3081b8310b3009060355040613024e4c310f300d060355040813065261646975733119301706035504071310416d6172616e746973205261646975733121301f060355040a1318416d6172616e746973204f6e64657277696a7367726f65703129302706092a864886f70d010901161a6e65747765726b62656865657240616d6172616e7469732e6e6c312f302d06035504031326416d6172616e746973205261646975732043657274 EAP-Message = 0x6966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b638d7f91164627f1f26b1b9c6b80c60d0f5f09788d12f7f8e05f4d5c56d3e7c12d45c07c7d4c6549924ffa6f89ffbb8e05c27479f62c7829d11eb919da7756ae3fa7d04b0830838c664c9b36be9621932cd6c212135c0c390942d191fe61d6aa63c41db73c2ff9590bc551547b5ef43cdd433a85ff6d012573eb4a6d1597c900ef9117eb0ae006b41649b4ab71e1243c8e4cf3abee6f062494669453f9619b0f4815684380f3bedda3b66ca5cfe47f57e9f272fa1e3f4a7d5945c439e92ddd2d5a037caedd024b98b846a EAP-Message = 0xd1671051f441d970f0424d695f96cb1336d5225febae79a91606fecfe2be75698c6c4fc512edc155f6d7ec2556f01d325126cee3ef0203010001a38201213082011d301d0603551d0e0416041439c24dc7a03a56dacbc5217ae8deaabbe13a1c193081ed0603551d230481e53081e2801439c24dc7a03a56dacbc5217ae8deaabbe13a1c19a181bea481bb3081b8310b3009060355040613024e4c310f300d060355040813065261646975733119301706035504071310416d6172616e746973205261646975733121301f060355040a1318416d6172616e746973204f6e64657277696a7367726f65703129302706092a864886f70d010901161a6e65 EAP-Message = 0x747765726b62656865657240616d6172616e7469732e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e7aef98290aab34c5bdeffbf332c930 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.6.254.189:1024, id=52, length=214 Framed-MTU = 1480 NAS-IP-Address = 10.6.254.189 NAS-Identifier = "ENNR" User-Name = "lsa@aog.nl" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-18-fe-57-b7-60" Calling-Station-Id = "00-d0-59-9d-9a-3c" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "138" State = 0x9e7aef98290aab34c5bdeffbf332c930 EAP-Message = 0x022300061500 Message-Authenticator = 0x4290459647a474c647d2bf8a6fef24f8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: Looking up realm "aog.nl" for User-Name = "lsa@aog.nl" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "lsa" rlm_realm: Proxying request from user lsa to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 35 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 Found Autz-Type asa Processing the authorize section of radiusd.conf modcall: entering group asa for request 4 radius_xlat: 'lsa' rlm_sql (asa): sql_set_user escaped user --> 'lsa' radius_xlat: 'SELECT UserID,Usernaam,'SHA-Password' AS Attribute, Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' AND Actief = 1 ORDER BY UserID' rlm_sql (asa): Reserving sql socket id: 0 radius_xlat: '' radius_xlat: 'SELECT UserID,Usernaam,'Reply-Message' AS Attribute, Achternaam, '=' AS Op from bas_user WHERE Usernaam = 'lsa' AND Actief = 1 ORDER BY UserID ' radius_xlat: '' rlm_sql (asa): Released sql socket id: 0 modcall[authorize]: module "asa" returns ok for request 4 rlm_pap: Normalizing SHA-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group asa (returns ok) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 52 to 10.6.254.189 port 1024 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "132" Reply-Message = "Loonstra" EAP-Message = 0x012401731580000009696e6c312f302d06035504031326416d6172616e7469732052616469757320436572746966696361746520417574686f72697479820900d7489a39739dc2be300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100454dfc9bb4cbcf95b5f701246176fd230f70bea0564a0197a28047390ac07c4d77609834f9a422361f4ede51bd4ea30d051893ff236b6cc7b41c7499535829221400d18a177b680caff00689e1db909167f5d5331d5c239a164b9b0731ff047b8317771b5cd9a3d41b80b4be974c13d6718e2cbeed6de3f20b3c4828d76ddd3d22667f2bc119dae184b60fb0b4d9bf5377d1b0 EAP-Message = 0xc01469c020e470c2d300264d2eaed55c7d81257cc14baeba7df5f6b1b255603a91e6bdfa9c7ecccee3c2e370084d807db1e8bdb0113de9ad8a744601813b8c9a9819007d6ce46ace182c9b410274b8b6facd3b085ca4b8e07424aca602afc83df29e78cbe45d4c2de4e825595d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8645d7e4f090233c4a654c8cbbfec31e Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 48 with timestamp 4baa367f Cleaning up request 1 ID 49 with timestamp 4baa367f Cleaning up request 2 ID 50 with timestamp 4baa367f Cleaning up request 3 ID 51 with timestamp 4baa367f Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 52 with timestamp 4baa3680 Nothing to do. Sleeping until we see a request. -- View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28... Sent from the FreeRadius - User mailing list archive at Nabble.com.