eap_peap: fatal access_denied error

mustafa mujahid mustafa.mujahid at outlook.com
Thu Mar 9 09:53:27 CET 2017

Hi ,  So I re-created the certificates in the certs directory. I'm no longer getting the 'fatal access denied' error. but this time I got this after a along 11 page debug ouput:

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state ...... did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I researched the link provided and seems that the client certificate requires the OID mentioned in xpextension file to be present in it. But what I don't understand is how can I incorporate this OID into the certificate. I created the certificates using the 'bootstrap' script in the certs directory

Should I manually run the commands present in the README file or should the make command automatically generate the certs and include the OID or would I have to do it.

   Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 CRL Distribution Points:

Right the above is a part of the client.crt file . Please guide me in this regard and excuse any lapse in understanding that I may have. By the way I attached a screen shot of the prompt I received on client machine when first authenticated.


From: Freeradius-Users <freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Wednesday, March 8, 2017 10:05 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error

On Mar 8, 2017, at 12:53 PM, mustafa mujahid <mustafa.mujahid at outlook.com> wrote:
> Hello all, I've been trying to authentication LAN on Cisco 2960 Switch. I've done configurations with PAP but this is the first time working with EAP. I have run into a bit of an issue. I receive a 'fatal :access denied error' in the debug log while testing with a single client.  Radius version is 3.0.12

  Using google, the first link is:

GTACKnowledge - Clients cannot authenticate to NAC because ...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access denied errors or missing FQDN name in certificate

  Alan DeKok.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS -- users' list info<http://www.freeradius.org/list/users.html>
Users' List Information. The freeradius-users mailing list is for users of the FreeRADIUS server not Cistron's server! There are a few house-rules to which we'd like ...

More information about the Freeradius-Users mailing list