ppp and eap-tls

[Frank]

Hi,

> -----Original Message-----
> From: Alan DeKok [mailto:aland at deployingradius.com]
> Sent: Wednesday, December 28, 2011 15:40
> To: FreeRadius users mailing list [mailto:freeradius-users at lists.freeradius.org]
> Subject: Re: ppp and eap-tls
> 
> Alan wrote:
> > I now get the following error in my radius log on an auth attempt:
> >
> > Error: TLS Alert write:fatal:decrypt error
> > Error:     TLS_accept: failed in SSLv3 read certificate verify B
> > Error: rlm_eap: SSL error error:0407006A:rsa
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> > Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> 
>   The client is broken.

Ok. The client is the build-in L2TP/IPSEC VPN client in MS Windows Vista

> 
> > Now there's several issues:
> > - I don't know what I changed which caused this behaviour (maybe an
> openssl update in Squeeze? Something changes in Windows Vista?)
> 
>   No.

It used to work fine with this client (MS Windows Vista L2TP/IPsec client)

> 
> > - the client certificates are valid (tested with openssl cli), and
> work fine when using for WPA auth
> > - I don't really know what this error means
> > - I can't find a solution for it. I've tried: 2048 bit (vs. 4096 bit)
> RSA certs and the extensions for XP for both the server and client
> certs
> >
> > Again, the same certificates work fine for WPA auth
> 
>   Which doesn't use certificates.

This statement is confusing! I'm using freeradius for EAP-TLS auth and set up the client for WPA2 enterprise with EAP-TLS. If this is not using certificates for authentication, then what is it using?

> 
> > I hope someone can shed some light onto this issue, or how to pin
> down the exact cause of the 'rsa
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01' error.
> 
>   Find out which client it is.  Mac?  Windows?

MS Windows Vista, build-in L2TP/IPSEC client, ppp authentication set to EAP-TLS.
> 
>   Alan DeKok.

Regards,
Frank