eap_peap: TLS Alert read:fatal:unknown CA
Hello everybody, I didn't find a thread with exactly my problem, so I start a new thread. I'm having problem with new certs in my freeradius server. I did what README file but didn't work for me. in radiusd -X log I see this: (14) Received Access-Request Id 143 from 192.168.100.149:43928 to 10.0.130.23:1812 length 343 (14) User-Name = "usuario" (14) Called-Station-Id = "C4-E9-84-91-2E-FE:OpenWrt" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port = 1 (14) Calling-Station-Id = "28-56-5A-0B-6D-83" (14) Connect-Info = "CONNECT 54Mbps 802.11g" (14) Acct-Session-Id = "59BA907E-00000018" (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-Group-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027073 (14) Framed-MTU = 1400 (14) EAP-Message = 0x02e70090198000000086160301004610000042410492d1ad5ac120e777664ce20c7c650f4e41bc63a2eca81c1dbe4823c38737e4b81569bf9ec7f238534875e6f5b1525501127a1b9d59f780572d294986bb2f82091403010001011603010030d0e814aba78d0c8affc8aca00d5577364bcf5880d8616f (14) State = 0x64dfe0536738f990f317a982d66da244 (14) Message-Authenticator = 0x5340ff52aba979858d1a8e7d661ac258 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/raddb/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (!&User-Name) { (14) if (!&User-Name) -> FALSE (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@.*@/ ) { (14) if (&User-Name =~ /@.*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "usuario", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 231 length 144 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/raddb/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x64dfe0536738f990 (14) eap: Finished EAP session with state 0x64dfe0536738f990 (14) eap: Previous EAP request found for state 0x64dfe0536738f990, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer indicated complete TLS record size will be 134 bytes (14) eap_peap: Got complete TLS record (134 bytes) (14) eap_peap: [eaptls verify] = length included (14) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (14) eap_peap: TLS_accept: SSLv3 read client key exchange A (14) eap_peap: TLS_accept: SSLv3 read certificate verify A (14) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (14) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (14) eap_peap: TLS_accept: SSLv3 read finished A (14) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (14) eap_peap: TLS_accept: SSLv3 write change cipher spec A (14) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (14) eap_peap: TLS_accept: SSLv3 write finished A (14) eap_peap: TLS_accept: SSLv3 flush data (14) eap_peap: (other): SSL negotiation finished successfully (14) eap_peap: SSL Connection Established (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 232 length 65 (14) eap: EAP session adding &reply:State = 0x64dfe0536037f990 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /etc/raddb/sites-enabled/default (14) Sent Access-Challenge Id 143 from 10.0.130.23:1812 to 192.168.100.149:43928 length 0 (14) EAP-Message = 0x01e80041190014030100010116030100307ed7fccb2ae6411aaf4df33748b8b02954729256ddd506ace2d362f9cd28c4e05489136e8cbd84abb28b3d0921f1300a (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x64dfe0536037f990f317a982d66da244 (14) Finished request (14) Cleaning up request packet ID 143 with timestamp +187 Ready to process requests up to here, everything seems right. but when I start service, in service log I see this: Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) Thu Sep 14 14:09:13 2017 : Auth: (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [usuario] (from client wrtnicolas.fder port 1 cli 28-56-5A-0B-6D-83) any help will be wellcome. saludos/greetings Nicolás.
On Sep 14, 2017, at 2:12 PM, Nicolás Guerra <ngr@vera.com.uy> wrote:
Hello everybody, I didn't find a thread with exactly my problem, so I start a new thread.
We generally recommend starting new threads.
I'm having problem with new certs in my freeradius server.
I did what README file but didn't work for me.
Follow my guide: http://deployingradius.com/
up to here, everything seems right. but when I start service, in service log I see this:
Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) Thu Sep 14 14:09:13 2017 : Auth: (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [usuario] (from client wrtnicolas.fder port 1 cli 28-56-5A-0B-6D-83)
That is likely a different client machine. And one which doesn't have the CA certificate installed.
any help will be wellcome.
Install the CA certificate on all client machines which need to authenticate. Alan Dekok.
that did the trick! thank you a lot! I copied ca.pem from freeradius server to the client's /etc/ssl/certs/ directory. is this the correct place to place the ca.pem file? I was confused because cellphones (Android, IPhones and Windows phones), and windows notebooks worked fine without the ca.pem any idea how can I config my Linux distro to conect without ca.pem? thanks again saludos/greetings, Nicolás.
NOT knowing correct CA...ie just clicking 'accept' on a prompt , is a major security issue. On 14 September 2017 at 19:53, Nicolás Guerra <ngr@vera.com.uy> wrote:
that did the trick! thank you a lot!
I copied ca.pem from freeradius server to the client's /etc/ssl/certs/ directory. is this the correct place to place the ca.pem file?
I was confused because cellphones (Android, IPhones and Windows phones), and windows notebooks worked fine without the ca.pem
any idea how can I config my Linux distro to conect without ca.pem?
thanks again
saludos/greetings, Nicolás. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 14, 2017, at 2:53 PM, Nicolás Guerra <ngr@vera.com.uy> wrote:
that did the trick! thank you a lot!
You're welcome.
I copied ca.pem from freeradius server to the client's /etc/ssl/certs/ directory. is this the correct place to place the ca.pem file?
If it works... TBH, there are just too many different client systems for us to know how to configure all of them.
I was confused because cellphones (Android, IPhones and Windows phones), and windows notebooks worked fine without the ca.pem
They don't. You had to accept it manually. Which isn't recommended.
any idea how can I config my Linux distro to conect without ca.pem?
You don't. You provision the CA certificate to them via some other method. e.g. administrator intervention. And yes, this is a PITA. There is no standard way to put WiFi / CA configuration onto a system. And none of the vendors care that it' s a problem. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Nicolás Guerra