Error in the negotiations certificates
well! it worked! Now my problem is that since the notebook I get an error: "Server mistaken identity - failed authentication" The truth is that I followed the steps recommended me to create the certificates, the amount to the notebooks, but the error continues. that is, I know it is wrong license, but why?, what could be the problem?. This is the HOWTO that I follow. thank you very much for your time people, really. this is my log: rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=1, length=136 User-Name = "cert" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0xa1d37d14d3ca314db3216fe7ad3213e9 EAP-Message = 0x020100090163657274 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "cert", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry cert at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 1 to 10.0.31.40 port 1645 EAP-Message = 0x010200160410c2f88223fdf1eaa4f3067c04238d3721 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x828568e182876c44ecbe1a83334ff52d Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=2, length=151 User-Name = "cert" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0xc2fb1c2d823ddbcd52324d74a0b5fed2 EAP-Message = 0x02020006030d NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x828568e182876c44ecbe1a83334ff52d NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "cert", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry cert at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 2 to 10.0.31.40 port 1645 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x828568e183866544ecbe1a83334ff52d Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=3, length=255 User-Name = "cert" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x739c2fb445978b8fe22541c3b32fe49f EAP-Message = 0x0203006e0d8000000064160301005f0100005b030148fddd7b02ee2de9cfa41a003ff5314b24e0eda43acd15432391683003cfd6e500003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x828568e183866544ecbe1a83334ff52d NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "cert", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 110 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry cert at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS TLS Length 100 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005f], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0839], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 10.0.31.40 port 1645 EAP-Message = 0x010404000dc000000b44160301004a02000046030148fddd7dc37e19076e351405e62f436a1922fb73cf30455f894e5c4190795ae0204a154ccf97bbead151eeaf459f681421a262c4556effa79a2002e054df616e9900390016030108390b000835000832000396308203923082027aa003020102020101300d06092a864886f70d010104050030818c310b3009060355040613024152311530130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c060355 EAP-Message = 0x04031315436572746966696361746520417574686f72697479301e170d3038313031363230313733315a170d3039313031363230313733315a3073310b3009060355040613024152311530130603550408130c4275656e6f73204169726573310e300c060355040a130549504c414e311b3019060355040313125365727665722043657274696669636174653120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e617230820122300d06092a864886f70d01010105000382010f003082010a0282010100e5ed708ad7629eb1a4406955fa12ca763e4d1a5264d13c13a59d82175ef6c50a8a7c145bfbba1b2ead6e65164759 EAP-Message = 0x742a02898ebd5795851b82f8488ea091ea5066dc89e6af059571af16716d3fb1a6e272e7f651b4b594d5bbc2a8d245790865da844926416a6356691dac17f9cca14b98c59fb70a690d85527b855796def90e81472a8eac1d25f59bb7daa3911f36aa8b98a8c33eadce40371ecae6f94bde99b0116973fe2376511d7e1377bfde2ba0056ee0824130884744e341851d8c10a2ed37ad726554c87b3bb138b6f77e0d7abe640d513bc062deb0c8a2e72c60afe7e2f00a0601b201f3b36c89c5eefb9d7fdd00a43109b8a3efd02a0c4b45f7d4b10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104 EAP-Message = 0x050003820101000971fc8236218044d0674241bd4bf450c5c11a72d13d8e3aeb7b37d89f2eca83f6ac0c2a08a541ad6995b86f21d158777cb8b55eebd5f74b2809b97aa64404f67fb3d00a10008ff3d8a92c37311536bc5d6d0fd62f4ad6bcddfcc9b96fe0db9a6087be315c360edbb6333d45817ef783f2fa31071b46613c601c29a1f6187e5dbe0f8abb01ea6fdf5eece6af36e7f25d0ab0c9ae05ca422a0c367fe97df9d7eefeec739c36e88c3631af892ab0bb76e248c3aaf7bfe240e60b8eb86d95b78cc81e959debbe37be439d2c68b010dc81e06705c4142db6f88820a9284a0f12bb128802591036617a64e21b1521960de4ad6339381ae8be EAP-Message = 0xaf5d9a281ecc5339e0450004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x828568e180816544ecbe1a83334ff52d Finished request 2. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=4, length=151 User-Name = "cert" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x252416bab9b6b1d85b8af4b674df9148 EAP-Message = 0x020400060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x828568e180816544ecbe1a83334ff52d NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "cert", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry cert at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 10.0.31.40 port 1645 EAP-Message = 0x010504000dc000000b4496308204923082037aa003020102020900aa09a4eb699e73a6300d06092a864886f70d010105050030818c310b3009060355040613024152311530130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f72697479301e170d3038313031363230313733315a170d3038313131353230313733315a30818c310b3009060355040613024152311530130603550408130c42 EAP-Message = 0x75656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100af6a3a37df450bb00c1f30ecc060fc530881b40643e224fd853eb5e338789cb912bcecb071826a7ec4394c9c139948305fee4b3d0ac995414df5dcbda4d508af7305a7648462a0e9a11d2bdd9edb1ff348e9816035b6456edb77fa1eb0d32a778da12d839052a5fb18 EAP-Message = 0x133bf2bd62e9ad8f4923585ae3ae5f7d80b85ccb2473bd9230a9e55aa0d6938b5a41ed67fb734e20c48a4f2130b71ba5ae66c13faf5dabe29e005411fd43fef788bbc983d432a0264a995278edae38db7b32cfff8c14d9724cbc063e572bebafa57c2c7c2f972711a073f196dac82ccf3b4098d44dbcc72a7d1cffc0faa1be151dd771ded7e0815f66d10028859213044728146e9b9fb10203010001a381f43081f1301d0603551d0e041604142d644d4ab03c8babf1cec71991d94174579cdd423081c10603551d230481b93081b680142d644d4ab03c8babf1cec71991d94174579cdd42a18192a4818f30818c310b30090603550406130241523115 EAP-Message = 0x30130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f72697479820900aa09a4eb699e73a6300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010007dac509033ec6d101253a619dd68b1e9007f99b1516e4c743e7f144bc21d4231d1086f082432bec4309cded4a8190e99a6cb2ee55b2d83f1b3ef4dbf1ceb4cd1703825dc6fa7a6b3924b443911a9c5b7a035e EAP-Message = 0x7c10ed5223d868feea672798 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x828568e181806544ecbe1a83334ff52d Finished request 3. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=5, length=151 User-Name = "cert" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0xff9eb6ba3fc361ee417c8d591840b2ad EAP-Message = 0x020500060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x828568e181806544ecbe1a83334ff52d NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "cert", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry cert at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 5 to 10.0.31.40 port 1645 EAP-Message = 0x010603620d8000000b44154f0cb0744882ef4706ec8866c6430b2df368cefb2d469c6ba9206fd7841e146d9445d9d0da14ee2ea682cf574b6a118e729df9a84852718cb6802edd2169452bbc3509d6c7a68cc2b293aecf43a7a56a746da3b57865e8945c8531c39bd1f9ce0b576a0533c793e2787d98bf322b1d7b1f03e0b6cf82a6c80c4ca96b8bdd4a6a0ef2724a3034cc3c0f3e55bd2927a673f86ad6a8d55bd1d900ef1e73550440d3160301020d0c0002090080ad2df571269b93a787f80235487c28f730b4907620fed69ef713bb4f43d3579e11b02fbf45ab4e74cf79b5d447af0fe6805157482f2b5f8185c4cc59061e6882ab9e4dd6def073 EAP-Message = 0x6c0583158ab64a30e9a2de020c5e4f7a41b4c58149a9b110a6d3b521f30e96e82b2b43f2d0d1a699b6484f8c814f72d4fe8fc11d7943f2c6a300010200808d274ee97ca8a1539322ca1cc91663218998f3f246237c87d426f37ed5ca34e4219297a674b10bd0b2bad77050600c858d955abb3f5436b99f2182fb607330679a0fe893820631e51a809fe023f6e08c821c6eca3852849a5d73b5cf1dcd0b71ed6fbd57b0c492c83c313f2104812f2c5fa6ec3627ed7d2c87c0c8275fd2854f010007eb93c25d6e901a560299fc10a1b3ddb4f98c351a95f6442a02bb7ac314af82cc9d2e475c5e5fe0673fdddfe7962dca24183d4bc1e64738f0fb7ac4a5 EAP-Message = 0x1f2cf4ac73dfea488a0f4be5678893c1b0be7343f290ec5f5a9ccf4f93893aecb5ad34e5de809849e6d0e61a1ad2944c8d0905eafaf74c046f5e338ecd30b1f3bfd001dc8aff4772cb307e0d87f6a6753767c0d207525cba695cce41a7031596db606fe2c644a8607c31404d7e09336b02e640bc6fd3823871cc1294587936547522651f2d52fc1c4bbdbe5e637bda47b37ccd47e7c29f3f93533b3e7161343924ea63417efc93e16618ab84d87dc74a199dac734719e5db4faecf80ca10a56f0e581016030100a00d00009804030401020091008f30818c310b3009060355040613024152311530130603550408130c4275656e6f7320416972657331 EAP-Message = 0x1430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x828568e186836544ecbe1a83334ff52d Finished request 4. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=6, length=162 User-Name = "cert" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x7cdb2e5ab2d1ba0debf2dbe363ba0b9e EAP-Message = 0x020600110d80000000071503010002022a NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x828568e186836544ecbe1a83334ff52d NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "cert", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry cert at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS TLS Length 7 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> cert attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 6 to 10.0.31.40 port 1645 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 5.
Martin Silvero wrote:
Now my problem is that since the notebook I get an error: "Server mistaken identity - failed authentication" The truth is that I followed the steps recommended me to create the certificates, the amount to the notebooks, but the error continues.
Search the documentation for the OS on your laptop to find out what that error means.
that is, I know it is wrong license, but why?, what could be the problem?.
What license?
this is my log: ... rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate
Ok... the client doesn't like the server's certificate, and the server doesn't like the client's certificate. It looks like you didn't put the right certificates on the right machines. Alan DeKok.
participants (2)
-
Alan DeKok -
Martin Silvero