EAP-TTLS: Access Reject comes randomly from AAA
Dear All, I am using EAP-TTLS authentication mechanism for between WiMAX client and AAA on Linux environment During EAP negotiation phase following steps are successfully completed. 1. Identity exchange 2. Server/Client EAP-TTLS start 3. Client Hello 4. Server Hello-Server Certificate-Server Key Exchange-Server Hello Done EAP_Failure is coming consistently during "Client Key Exchange phase". This issue is coming consistently for multiple clients during Network Entry. Following is the error from AAA. 2012/06/04 15:52:41:686525 : <FREERADIUS LOG> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca 2012/06/04 15:52:41:686541 : <FREERADIUS LOG> TLS Alert read:fatal:unknown CA 2012/06/04 15:52:41:686559 : <FREERADIUS LOG> TLS_accept:failed in SSLv3 read client certificate A 2012/06/04 15:52:41:686579 : <FREERADIUS LOG> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2012/06/04 15:52:41:686593 : <FREERADIUS LOG> rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. 2012/06/04 15:52:41:686605 : <FREERADIUS LOG> eaptls_process returned 13 2012/06/04 15:52:41:686618 : <FREERADIUS LOG> rlm_eap: Freeing handler 2012/06/04 15:52:41:686650 : <FREERADIUS LOG> ++[eap] returns reject 2012/06/04 15:52:41:686663 : <FREERADIUS LOG> auth: Failed to validate the user. 2012/06/04 15:52:41:686688 : [TX] Access-Reject To resolve this issue, your timely help will be appreciated. Thanks ! Rathod. Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Rathod Subhashchandra wrote:
This issue is coming consistently for multiple clients during Network Entry.
So read the debug log. It isn't hard.
2012/06/04 15:52:41:686559 : <FREERADIUS LOG> TLS_accept:failed in SSLv3 read client certificate A 2012/06/04 15:52:41:686579 : <FREERADIUS LOG> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
"Unknown CA". Perhaps that means something.
To resolve this issue, your timely help will be appreciated.
This is a free mailing list. Asking for "timely help" is not appropriate. Alan DeKok.
Hi... just check the mail with subject: *"generating ssl certs in debian squeeze"* , it may help Thank You On 20 October 2012 18:42, Alan DeKok <aland@deployingradius.com> wrote:
Rathod Subhashchandra wrote:
This issue is coming consistently for multiple clients during Network Entry.
So read the debug log. It isn't hard.
2012/06/04 15:52:41:686559 : <FREERADIUS LOG> TLS_accept:failed in SSLv3 read client certificate A 2012/06/04 15:52:41:686579 : <FREERADIUS LOG> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
"Unknown CA". Perhaps that means something.
To resolve this issue, your timely help will be appreciated.
This is a free mailing list. Asking for "timely help" is not appropriate.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2012/06/04 15:52:41:686525 : <FREERADIUS LOG> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
This means WiMAX supplicant sends TLS Alert message. This is because supplicant do not trust CA that have issued AAA server certificate. CA certificate of the CA that have issued AAA server certificate should be installed on WiMAX supplicant into list of "trusted root CA certificates".
participants (4)
-
Alan DeKok -
Iliya Peregoudov -
Rathod Subhashchandra -
val john