eap_peap: fatal access_denied error

mustafa mujahid mustafa.mujahid at outlook.com
Thu Mar 9 10:53:00 CET 2017


PFA.

________________________________
From: Freeradius-Users <freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on behalf of mustafa mujahid <mustafa.mujahid at outlook.com>
Sent: Thursday, March 9, 2017 12:53 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error

Hi ,  So I re-created the certificates in the certs directory. I'm no longer getting the 'fatal access denied' error. but this time I got this after a along 11 page debug ouput:


WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state ...... did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
Certificate Compatibility - FreeRADIUS<http://wiki.freeradius.org/guide/Certificate_Compatibility>
wiki.freeradius.org
The certificates created using the scripts in the raddb/certs directory (https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs) are known to be ...



WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



I researched the link provided and seems that the client certificate requires the OID mentioned in xpextension file to be present in it. But what I don't understand is how can I incorporate this OID into the certificate. I created the certificates using the 'bootstrap' script in the certs directory


Should I manually run the commands present in the README file or should the make command automatically generate the certs and include the OID or would I have to do it.

   Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 CRL Distribution Points:

Right the above is a part of the client.crt file . Please guide me in this regard and excuse any lapse in understanding that I may have. By the way I attached a screen shot of the prompt I received on client machine when first authenticated.


BR/Mustafa


________________________________
From: Freeradius-Users <freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Wednesday, March 8, 2017 10:05 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error

On Mar 8, 2017, at 12:53 PM, mustafa mujahid <mustafa.mujahid at outlook.com> wrote:
>
> Hello all, I've been trying to authentication LAN on Cisco 2960 Switch. I've done configurations with PAP but this is the first time working with EAP. I have run into a bit of an issue. I receive a 'fatal :access denied error' in the debug log while testing with a single client.  Radius version is 3.0.12

  Using google, the first link is:

https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems
GTACKnowledge - Clients cannot authenticate to NAC because ...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access denied errors or missing FQDN name in certificate



GTACKnowledge - Clients cannot authenticate to NAC because ...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access denied errors or missing FQDN name in certificate




  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS -- users' list info<http://www.freeradius.org/list/users.html>
www.freeradius.org<http://www.freeradius.org>
Users' List Information. The freeradius-users mailing list is for users of the FreeRADIUS server not Cistron's server! There are a few house-rules to which we'd like ...


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list