eap_peap: fatal access_denied error
mustafa mujahid
mustafa.mujahid at outlook.com
Thu Mar 9 10:53:00 CET 2017
PFA.
________________________________
From: Freeradius-Users <freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on behalf of mustafa mujahid <mustafa.mujahid at outlook.com>
Sent: Thursday, March 9, 2017 12:53 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error
Hi , So I re-created the certificates in the certs directory. I'm no longer getting the 'fatal access denied' error. but this time I got this after a along 11 page debug ouput:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state ...... did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
Certificate Compatibility - FreeRADIUS<http://wiki.freeradius.org/guide/Certificate_Compatibility>
wiki.freeradius.org
The certificates created using the scripts in the raddb/certs directory (https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs) are known to be ...
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I researched the link provided and seems that the client certificate requires the OID mentioned in xpextension file to be present in it. But what I don't understand is how can I incorporate this OID into the certificate. I created the certificates using the 'bootstrap' script in the certs directory
Should I manually run the commands present in the README file or should the make command automatically generate the certs and include the OID or would I have to do it.
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Right the above is a part of the client.crt file . Please guide me in this regard and excuse any lapse in understanding that I may have. By the way I attached a screen shot of the prompt I received on client machine when first authenticated.
BR/Mustafa
________________________________
From: Freeradius-Users <freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Wednesday, March 8, 2017 10:05 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error
On Mar 8, 2017, at 12:53 PM, mustafa mujahid <mustafa.mujahid at outlook.com> wrote:
>
> Hello all, I've been trying to authentication LAN on Cisco 2960 Switch. I've done configurations with PAP but this is the first time working with EAP. I have run into a bit of an issue. I receive a 'fatal :access denied error' in the debug log while testing with a single client. Radius version is 3.0.12
Using google, the first link is:
https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems
GTACKnowledge - Clients cannot authenticate to NAC because ...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access denied errors or missing FQDN name in certificate
GTACKnowledge - Clients cannot authenticate to NAC because ...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access denied errors or missing FQDN name in certificate
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS -- users' list info<http://www.freeradius.org/list/users.html>
www.freeradius.org<http://www.freeradius.org>
Users' List Information. The freeradius-users mailing list is for users of the FreeRADIUS server not Cistron's server! There are a few house-rules to which we'd like ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list