No luck connecting from a ZyXEL NWA3160-N AP
Erich Titl
erich.titl at think.ch
Fri Nov 2 16:36:12 CET 2012
Hi Phil
on 02.11.2012 16:10, Phil Mayers wrote:
> On 02/11/12 14:56, Erich Titl wrote:
>
>> authenticating against a MySQL database appeast to work fine using
>> radtest
>
> This is not really a good test. radtest is sending "pap".
>
> Download the "wpa_supplicant" sources and compile "eapol_test".
>
>> I connected a ZyXEL NWA 3160-N (latest Firmware), generated a
>> certificate request, signed it using XCA and reimported it on the AP.
>
> Why does the AP need a cert?
IMHO it does not, but it has one
>
>> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
>> TLS Alert read:fatal:unknown CA
>> TLS_accept: failed in SSLv3 read client certificate A
>> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert unknown ca
>> .....
>>
>> There appears to be something wrong with the client certificate passed
>> by the AP in the eap conversation. I doublechecked the certificates and
>> googled my fingers raw on this.
>
> No. This is a message *from* the client saying it doesn't trust the
> *radius server* certificate.
Ahhhh... very interesting, so the client rejects the certificate
>
> You haven't imported your CA on the client properly.
>
Mhhhh.... sounds reasonable, just that the AP does not appear to want to
import the CA cert, because it wants a corresponding cert request.
Thanks a lot, this appears to be just the push that I needed.
Erich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1877 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121102/335ac129/attachment.bin>
More information about the Freeradius-Users
mailing list