Hi, I installed and configured a server Radius and it worked successfully until last week when it began to show the following message This is the error message I got /Thu Dec 10 15:46:14 2015 : Error: TLS Alert read:fatal:handshake failure // //Thu Dec 10 15:46:14 2015 : Error: TLS_accept: failed in SSLv3 read client certificate A // //Thu Dec 10 15:46:14 2015 : Error: rlm_eap: SSL error error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure // //Thu Dec 10 15:46:14 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. // //Thu Dec 10 15:46:14 2015 : Auth: Login incorrect (TLS Alert read:fatal:handshake failure): [mguerri] (from client AP_RAU_red_2 port 17 cli 10 // //-A5-D0-3A-5B-79) Usuario Rechazado / Here goes the version I have installed /OpenSSL> version // //OpenSSL 0.9.8s xx XXX xxxx // //// //radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Nov 8 2011 at 19:52:18// / Thanks in advance Mario Guerri Maglia
On Dec 16, 2015, at 10:22 AM, Mario Guerri Maglia <mario.guerri@seciu.edu.uy> wrote:
I installed and configured a server Radius and it worked successfully until last week when it began to show the following message This is the error message I got
/Thu Dec 10 15:46:14 2015 : Error: TLS Alert read:fatal:handshake failure // //Thu Dec 10 15:46:14 2015 : Error: TLS_accept: failed in SSLv3 read client certificate A // //Thu Dec 10 15:46:14 2015 : Error: rlm_eap: SSL error error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure // //Thu Dec 10 15:46:14 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. // //Thu Dec 10 15:46:14 2015 : Auth: Login incorrect (TLS Alert read:fatal:handshake failure): [mguerri] (from client AP_RAU_red_2 port 17 cli 10 // //-A5-D0-3A-5B-79) Usuario Rechazado /
You need to copy the CA certificate used by the server, and install it on the client. Follow the EAP instructions on my web page: http://deployingradius.com/ It *will* work. Alan DeKok.
Hi, sadly the hints you gave me didn't work. First of all I must say I'm a new user of FreeRadius, so I'll try to give a detailed explanation of my problem. In the begining the radius was functioning ok, the authentication was ok, it consulted the LDAP and if the user was right, the user could connect to the Wi-Fi. We had few defined users and for many weeks nobody connected to it. After that we tried to connect again and this error message appeared: Tue Nov 17 11:26:04 2015 : Error: TLS Alert read:fatal:handshake failure Tue Nov 17 11:26:04 2015 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Nov 17 11:26:04 2015 : Error: rlm_eap: SSL error error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Tue Nov 17 11:26:04 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Tue Nov 17 11:26:04 2015 : Auth: Login incorrect (TLS Alert read:fatal:handshake failure): [mguerri] (from client AP_RAU_red_2 port 8 cli CC-AF-78-2B-9F-65) Usuario Rechazado So now the users can't connect, more precisely some devices can't connect. For example some notebooks with Ubuntu 14.04 and newer mobile phones with android. But on the other hand some older movile phones with android can connect to the Wi-Fi, the user is validated. Previously to write to the list I found in the Internet the problem was related to the size of the certification and the solution was to generate cerfication of 2048 size. Because ours were of 1024. I changed it the size to 2048 and after that I did these: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem openssl req -new -keyout radius.key -out radius.seciu.edu.uy.csr -days 3650 openssl ca -policy policy_anything -out radius.seciu.edu.uy.crt -extensions xpserver_ext -extfile xpextensions -infiles radius.seciu.edu.uy.csr openssl x509 -inform PEM -outform DER -in cacert.pem -out ca.der openssl dhparam -check -text -5 512 -out dh dd if=/dev/urandom of=random count=2 But it didn't function, the message is the same. I did what you told me to do, I passed cacert.pem, radius.key and radius.seciu.edu.uy.crt to the client. But I got the same error message. I don't realize what am I doing wrong... Hope you can help me, thanks in advance Mario
On Dec 22, 2015, at 10:41 AM, Mario Guerri Maglia <mario.guerri@seciu.edu.uy> wrote:
sadly the hints you gave me didn't work.
Did you follow the instructions? If so, *which step* failed? Simply saying "it didn't work" is unhelpful.
First of all I must say I'm a new user of FreeRadius, so I'll try to give a detailed explanation of my problem.
That's good. But I pointed you to detailed documentation which says how to get this to work. Did you follow it?
In the begining the radius was functioning ok, the authentication was ok, it consulted the LDAP and if the user was right, the user could connect to the Wi-Fi. We had few defined users and for many weeks nobody connected to it.
After that we tried to connect again and this error message appeared:
Which you already said. There's no need to post it again.
Previously to write to the list I found in the Internet the problem was related to the size of the certification and the solution was to generate cerfication of 2048 size. Because ours were of 1024. I changed it the size to 2048 and after that I did these:
The directory raddb/certs contains configuration files and scripts which create new certificates. Did you use them? Apparently not.
But it didn't function, the message is the same.
Running server-side OpenSSL scripts doesn't change the client configuration.
I did what you told me to do, I passed cacert.pem, radius.key and radius.seciu.edu.uy.crt to the client. But I got the same error message. I don't realize what am I doing wrong...
You need to follow the instructions *exactly*. And if something goes wrong, say *which* step is going wrong. Alan DeKok.
Hi,
I did what you told me to do, I passed cacert.pem, radius.key and radius.seciu.edu.uy.crt to the client. But I got the same error message.
you gave the clien the radius server cert AND key?? :( time to make some new certs for the server all you need to provide the clients with is the CA - that can be done via them installing it (and if you have done background reading you'll know what certificate store the CA needs to be put into). the current release of FreeRADIUS has all the correct certificate attributes you need for all modern clients to be happy. client config - ensure CA installed and choose from the CA list, ensure that check CN is enabled and the CommonName (from the certificate of the RADIUS server) is put in (this MAY be its DNS name too but so long as it matches the CN of the server cert you are okay). now just correct username/password. done alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Mario Guerri Maglia