Error in the negotiations certificates

Martin Silvero silvero.martin at gmail.com
Tue Oct 21 16:08:27 CEST 2008


well! it worked!

Now my problem is that since the notebook I get an error: "Server mistaken
identity - failed authentication"
The truth is that I followed the steps recommended me to create the
certificates, the amount to the notebooks, but the error continues.

that is, I know it is wrong license, but why?, what could be the problem?.

This is the HOWTO that I follow.

thank you very much for your time people, really.


this is my log:




rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=1,
length=136
        User-Name = "cert"
        Framed-MTU = 1400
        Called-Station-Id = "0019.2fdb.9e00"
        Calling-Station-Id = "001f.3c22.44c5"
        Service-Type = Login-User
        Message-Authenticator = 0xa1d37d14d3ca314db3216fe7ad3213e9
        EAP-Message = 0x020100090163657274
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 257
        NAS-IP-Address = 10.0.31.40
        NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 1 length 9
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.0.31.40 port 1645
        EAP-Message = 0x010200160410c2f88223fdf1eaa4f3067c04238d3721
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x828568e182876c44ecbe1a83334ff52d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=2,
length=151
        User-Name = "cert"
        Framed-MTU = 1400
        Called-Station-Id = "0019.2fdb.9e00"
        Calling-Station-Id = "001f.3c22.44c5"
        Service-Type = Login-User
        Message-Authenticator = 0xc2fb1c2d823ddbcd52324d74a0b5fed2
        EAP-Message = 0x02020006030d
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 257
        State = 0x828568e182876c44ecbe1a83334ff52d
        NAS-IP-Address = 10.0.31.40
        NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/tls
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.0.31.40 port 1645
        EAP-Message = 0x010300060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x828568e183866544ecbe1a83334ff52d
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=3,
length=255
        User-Name = "cert"
        Framed-MTU = 1400
        Called-Station-Id = "0019.2fdb.9e00"
        Calling-Station-Id = "001f.3c22.44c5"
        Service-Type = Login-User
        Message-Authenticator = 0x739c2fb445978b8fe22541c3b32fe49f
        EAP-Message =
0x0203006e0d8000000064160301005f0100005b030148fddd7b02ee2de9cfa41a003ff5314b24e0eda43acd15432391683003cfd6e500003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 257
        State = 0x828568e183866544ecbe1a83334ff52d
        NAS-IP-Address = 10.0.31.40
        NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 110
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 100
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 005f], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0839], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
    TLS_accept: SSLv3 write key exchange A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.0.31.40 port 1645
        EAP-Message =
0x010404000dc000000b44160301004a02000046030148fddd7dc37e19076e351405e62f436a1922fb73cf30455f894e5c4190795ae0204a154ccf97bbead151eeaf459f681421a262c4556effa79a2002e054df616e9900390016030108390b000835000832000396308203923082027aa003020102020101300d06092a864886f70d010104050030818c310b3009060355040613024152311530130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c060355
        EAP-Message =
0x04031315436572746966696361746520417574686f72697479301e170d3038313031363230313733315a170d3039313031363230313733315a3073310b3009060355040613024152311530130603550408130c4275656e6f73204169726573310e300c060355040a130549504c414e311b3019060355040313125365727665722043657274696669636174653120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e617230820122300d06092a864886f70d01010105000382010f003082010a0282010100e5ed708ad7629eb1a4406955fa12ca763e4d1a5264d13c13a59d82175ef6c50a8a7c145bfbba1b2ead6e65164759
        EAP-Message =
0x742a02898ebd5795851b82f8488ea091ea5066dc89e6af059571af16716d3fb1a6e272e7f651b4b594d5bbc2a8d245790865da844926416a6356691dac17f9cca14b98c59fb70a690d85527b855796def90e81472a8eac1d25f59bb7daa3911f36aa8b98a8c33eadce40371ecae6f94bde99b0116973fe2376511d7e1377bfde2ba0056ee0824130884744e341851d8c10a2ed37ad726554c87b3bb138b6f77e0d7abe640d513bc062deb0c8a2e72c60afe7e2f00a0601b201f3b36c89c5eefb9d7fdd00a43109b8a3efd02a0c4b45f7d4b10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104
        EAP-Message =
0x050003820101000971fc8236218044d0674241bd4bf450c5c11a72d13d8e3aeb7b37d89f2eca83f6ac0c2a08a541ad6995b86f21d158777cb8b55eebd5f74b2809b97aa64404f67fb3d00a10008ff3d8a92c37311536bc5d6d0fd62f4ad6bcddfcc9b96fe0db9a6087be315c360edbb6333d45817ef783f2fa31071b46613c601c29a1f6187e5dbe0f8abb01ea6fdf5eece6af36e7f25d0ab0c9ae05ca422a0c367fe97df9d7eefeec739c36e88c3631af892ab0bb76e248c3aaf7bfe240e60b8eb86d95b78cc81e959debbe37be439d2c68b010dc81e06705c4142db6f88820a9284a0f12bb128802591036617a64e21b1521960de4ad6339381ae8be
        EAP-Message = 0xaf5d9a281ecc5339e0450004
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x828568e180816544ecbe1a83334ff52d
Finished request 2.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=4,
length=151
        User-Name = "cert"
        Framed-MTU = 1400
        Called-Station-Id = "0019.2fdb.9e00"
        Calling-Station-Id = "001f.3c22.44c5"
        Service-Type = Login-User
        Message-Authenticator = 0x252416bab9b6b1d85b8af4b674df9148
        EAP-Message = 0x020400060d00
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 257
        State = 0x828568e180816544ecbe1a83334ff52d
        NAS-IP-Address = 10.0.31.40
        NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 10.0.31.40 port 1645
        EAP-Message =
0x010504000dc000000b4496308204923082037aa003020102020900aa09a4eb699e73a6300d06092a864886f70d010105050030818c310b3009060355040613024152311530130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f72697479301e170d3038313031363230313733315a170d3038313131353230313733315a30818c310b3009060355040613024152311530130603550408130c42
        EAP-Message =
0x75656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100af6a3a37df450bb00c1f30ecc060fc530881b40643e224fd853eb5e338789cb912bcecb071826a7ec4394c9c139948305fee4b3d0ac995414df5dcbda4d508af7305a7648462a0e9a11d2bdd9edb1ff348e9816035b6456edb77fa1eb0d32a778da12d839052a5fb18
        EAP-Message =
0x133bf2bd62e9ad8f4923585ae3ae5f7d80b85ccb2473bd9230a9e55aa0d6938b5a41ed67fb734e20c48a4f2130b71ba5ae66c13faf5dabe29e005411fd43fef788bbc983d432a0264a995278edae38db7b32cfff8c14d9724cbc063e572bebafa57c2c7c2f972711a073f196dac82ccf3b4098d44dbcc72a7d1cffc0faa1be151dd771ded7e0815f66d10028859213044728146e9b9fb10203010001a381f43081f1301d0603551d0e041604142d644d4ab03c8babf1cec71991d94174579cdd423081c10603551d230481b93081b680142d644d4ab03c8babf1cec71991d94174579cdd42a18192a4818f30818c310b30090603550406130241523115
        EAP-Message =
0x30130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f72697479820900aa09a4eb699e73a6300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010007dac509033ec6d101253a619dd68b1e9007f99b1516e4c743e7f144bc21d4231d1086f082432bec4309cded4a8190e99a6cb2ee55b2d83f1b3ef4dbf1ceb4cd1703825dc6fa7a6b3924b443911a9c5b7a035e
        EAP-Message = 0x7c10ed5223d868feea672798
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x828568e181806544ecbe1a83334ff52d
Finished request 3.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=5,
length=151
        User-Name = "cert"
        Framed-MTU = 1400
        Called-Station-Id = "0019.2fdb.9e00"
        Calling-Station-Id = "001f.3c22.44c5"
        Service-Type = Login-User
        Message-Authenticator = 0xff9eb6ba3fc361ee417c8d591840b2ad
        EAP-Message = 0x020500060d00
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 257
        State = 0x828568e181806544ecbe1a83334ff52d
        NAS-IP-Address = 10.0.31.40
        NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 5 to 10.0.31.40 port 1645
        EAP-Message =
0x010603620d8000000b44154f0cb0744882ef4706ec8866c6430b2df368cefb2d469c6ba9206fd7841e146d9445d9d0da14ee2ea682cf574b6a118e729df9a84852718cb6802edd2169452bbc3509d6c7a68cc2b293aecf43a7a56a746da3b57865e8945c8531c39bd1f9ce0b576a0533c793e2787d98bf322b1d7b1f03e0b6cf82a6c80c4ca96b8bdd4a6a0ef2724a3034cc3c0f3e55bd2927a673f86ad6a8d55bd1d900ef1e73550440d3160301020d0c0002090080ad2df571269b93a787f80235487c28f730b4907620fed69ef713bb4f43d3579e11b02fbf45ab4e74cf79b5d447af0fe6805157482f2b5f8185c4cc59061e6882ab9e4dd6def073
        EAP-Message =
0x6c0583158ab64a30e9a2de020c5e4f7a41b4c58149a9b110a6d3b521f30e96e82b2b43f2d0d1a699b6484f8c814f72d4fe8fc11d7943f2c6a300010200808d274ee97ca8a1539322ca1cc91663218998f3f246237c87d426f37ed5ca34e4219297a674b10bd0b2bad77050600c858d955abb3f5436b99f2182fb607330679a0fe893820631e51a809fe023f6e08c821c6eca3852849a5d73b5cf1dcd0b71ed6fbd57b0c492c83c313f2104812f2c5fa6ec3627ed7d2c87c0c8275fd2854f010007eb93c25d6e901a560299fc10a1b3ddb4f98c351a95f6442a02bb7ac314af82cc9d2e475c5e5fe0673fdddfe7962dca24183d4bc1e64738f0fb7ac4a5
        EAP-Message =
0x1f2cf4ac73dfea488a0f4be5678893c1b0be7343f290ec5f5a9ccf4f93893aecb5ad34e5de809849e6d0e61a1ad2944c8d0905eafaf74c046f5e338ecd30b1f3bfd001dc8aff4772cb307e0d87f6a6753767c0d207525cba695cce41a7031596db606fe2c644a8607c31404d7e09336b02e640bc6fd3823871cc1294587936547522651f2d52fc1c4bbdbe5e637bda47b37ccd47e7c29f3f93533b3e7161343924ea63417efc93e16618ab84d87dc74a199dac734719e5db4faecf80ca10a56f0e581016030100a00d00009804030401020091008f30818c310b3009060355040613024152311530130603550408130c4275656e6f7320416972657331
        EAP-Message =
0x1430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f726974790e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x828568e186836544ecbe1a83334ff52d
Finished request 4.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=6,
length=162
        User-Name = "cert"
        Framed-MTU = 1400
        Called-Station-Id = "0019.2fdb.9e00"
        Calling-Station-Id = "001f.3c22.44c5"
        Service-Type = Login-User
        Message-Authenticator = 0x7cdb2e5ab2d1ba0debf2dbe363ba0b9e
        EAP-Message = 0x020600110d80000000071503010002022a
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 257
        State = 0x828568e186836544ecbe1a83334ff52d
        NAS-IP-Address = 10.0.31.40
        NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 6 length 17
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 7
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
    TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
bad certificate
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
  eaptls_process returned 13
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> cert
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 6 to 10.0.31.40 port 1645
        EAP-Message = 0x04060004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081021/ca711f8f/attachment.html>


More information about the Freeradius-Users mailing list