Hi,
-----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: Wednesday, December 28, 2011 15:40 To: FreeRadius users mailing list [mailto:freeradius-users@lists.freeradius.org] Subject: Re: ppp and eap-tls
Alan wrote:
I now get the following error in my radius log on an auth attempt:
Error: TLS Alert write:fatal:decrypt error Error: TLS_accept: failed in SSLv3 read certificate verify B Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
The client is broken.
Ok. The client is the build-in L2TP/IPSEC VPN client in MS Windows Vista
Now there's several issues: - I don't know what I changed which caused this behaviour (maybe an openssl update in Squeeze? Something changes in Windows Vista?)
No.
It used to work fine with this client (MS Windows Vista L2TP/IPsec client)
- the client certificates are valid (tested with openssl cli), and work fine when using for WPA auth - I don't really know what this error means - I can't find a solution for it. I've tried: 2048 bit (vs. 4096 bit) RSA certs and the extensions for XP for both the server and client certs
Again, the same certificates work fine for WPA auth
Which doesn't use certificates.
This statement is confusing! I'm using freeradius for EAP-TLS auth and set up the client for WPA2 enterprise with EAP-TLS. If this is not using certificates for authentication, then what is it using?
I hope someone can shed some light onto this issue, or how to pin down the exact cause of the 'rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01' error.
Find out which client it is. Mac? Windows?
MS Windows Vista, build-in L2TP/IPSEC client, ppp authentication set to EAP-TLS.
Alan DeKok.
Regards, Frank
Frank wrote:
This statement is confusing! I'm using freeradius for EAP-TLS auth and set up the client for WPA2 enterprise with EAP-TLS. If this is not using certificates for authentication, then what is it using?
<sigh> WPA != "WPA2 enterprise" You're confused because you're confusing two different things.
MS Windows Vista, build-in L2TP/IPSEC client, ppp authentication set to EAP-TLS.
Alan DeKok.
Well, that should work. And no, it's not a FreeRADIUS issue. Alan DeKok.
Hi,
-----Original Message----- From: freeradius-users-bounces+frank=debian- nas.org@lists.freeradius.org [mailto:freeradius-users- bounces+frank=debian-nas.org@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2011 16:58 To: FreeRadius users mailing list Subject: Re: ppp and eap-tls
Frank wrote:
This statement is confusing! I'm using freeradius for EAP-TLS auth and set up the client for WPA2 enterprise with EAP-TLS. If this is not using certificates for authentication, then what is it using?
<sigh> WPA != "WPA2 enterprise"
You're confused because you're confusing two different things.
Ah, I'm awfully sorry for not correctly using the relevant terminology. I suppose most people could guess I was talking about WPA2 enterprise when I mentioned EAP-TLS for wireless authentication.
MS Windows Vista, build-in L2TP/IPSEC client, ppp authentication set to EAP-TLS.
Alan DeKok.
Well, that should work.
And no, it's not a FreeRADIUS issue.
Ok the problem here is that it is not working (hence my post to this mailing-list). For it not being a Freeradius issue: I didn't expect it to be. In fact, my suspicion was openssl or the connecting Windows Vista client. I'm posting to this list because I hope that other users of FreeRADIUS have experienced the same issue and might know of a way to solve it. Maybe there's others who use FreeRADIUS in the same scenario (EAP-TLS auth for ppp in a L2TP/IPSEC VPN). Regards, Frank
Frank wrote:
Ah, I'm awfully sorry for not correctly using the relevant terminology. I suppose most people could guess I was talking about WPA2 enterprise when I mentioned EAP-TLS for wireless authentication.
No. WPA has a defined meaning, independent of WPA2. It's like telling a mechanic your car won't go because it has a flat tire. Then when he looks as sees 4 working tires, going "well, it's out of gas, but you know what I mean".
Ok the problem here is that it is not working (hence my post to this mailing-list). For it not being a Freeradius issue: I didn't expect it to be. In fact, my suspicion was openssl or the connecting Windows Vista client.
I'm posting to this list because I hope that other users of FreeRADIUS have experienced the same issue and might know of a way to solve it. Maybe there's others who use FreeRADIUS in the same scenario (EAP-TLS auth for ppp in a L2TP/IPSEC VPN).
Search the list archives. That error has never been seen before. Alan DeKok.
Alan DeKok wrote:
Frank wrote:
Ah, I'm awfully sorry for not correctly using the relevant terminology. I suppose most people could guess I was talking about WPA2 enterprise when I mentioned EAP-TLS for wireless authentication.
No. WPA has a defined meaning, independent of WPA2.
FWIW, he's emailed me off-list calling me pedantic / grammar nazi / mentally ill for correcting his terminology, and asking him to use the correct terminology. <shrug> I'll take pedantic, as correct terminology *does* matter. In any case, he no longer will be confronted with people who ask him to clarify his position. He's been unsubscribed. Alan DeKok.
participants (2)
-
Alan DeKok -
Frank