Problem with handshake

Mario Guerri Maglia mario.guerri at seciu.edu.uy
Tue Dec 22 16:41:55 CET 2015 

Hi,

sadly the hints you gave me didn't work.
First of all I must say I'm a new user of FreeRadius, so I'll try to 
give a detailed explanation of my problem.

In the begining the radius was functioning ok, the authentication was 
ok, it consulted the LDAP and if the user was right, the user could 
connect to the Wi-Fi. We had few defined users and for many weeks nobody 
connected to it.

After that we tried to connect again and this error message appeared:

Tue Nov 17 11:26:04 2015 : Error: TLS Alert read:fatal:handshake failure
Tue Nov 17 11:26:04 2015 : Error:     TLS_accept: failed in SSLv3 read 
client certificate A
Tue Nov 17 11:26:04 2015 : Error: rlm_eap: SSL error error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Tue Nov 17 11:26:04 2015 : Error: SSL: SSL_read failed inside of TLS 
(-1), TLS session fails.
Tue Nov 17 11:26:04 2015 : Auth: Login incorrect (TLS Alert 
read:fatal:handshake failure): [mguerri] (from client AP_RAU_red_2 port 
8 cli CC-AF-78-2B-9F-65) Usuario Rechazado


So now the users can't connect, more precisely some devices can't 
connect. For example some notebooks with Ubuntu 14.04 and newer mobile 
phones with android. But on the other hand some older movile phones with 
android can connect to the Wi-Fi, the user is validated.

Previously to write to the list I found in the Internet the problem was 
related to the size of the certification and the solution was to 
generate cerfication of 2048 size. Because ours were of 1024. I changed 
it the size to 2048 and after that I did these:

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out 
cacert.pem

openssl req -new -keyout radius.key -out radius.seciu.edu.uy.csr -days 3650

openssl ca -policy policy_anything -out radius.seciu.edu.uy.crt 
-extensions xpserver_ext -extfile xpextensions -infiles 
radius.seciu.edu.uy.csr

openssl x509 -inform PEM -outform DER -in cacert.pem -out ca.der

openssl dhparam -check -text -5 512 -out dh

dd if=/dev/urandom of=random count=2


But it didn't function, the message is the same.

I did what you told me to do, I passed cacert.pem, radius.key and 
radius.seciu.edu.uy.crt to the client. But I got the same error message.
I don't realize what am I doing wrong...

Hope you can help me, thanks in advance


Mario

More information about the Freeradius-Users mailing list