On 21 Apr 2003, Sungwon Ha wrote:
Hi!
I have a question about an access denied message from RADIUS. I was using RADIUS for EAP-TLS authentication with Window XP (service pack 2). But XP was denied because RADIUS produced error as follows
<<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
<snip>
> SSL alert number 49
I've just seen this as well. This is with XPsp1 doing EAP/TLS. It goes away if I ask XP to *not* validate the server certificate.
I also see the following in the XP RASTLS log:
AuthenticateServer FGetEKUUsage FCheckUsage The server's cert does not have the 'Server Authentication' usage MakeAlert(49,Schannel)
Not quite sure what this means; the root certificate on the XP machine certainly *does* claim to be good for server authentication so I suppose it's talking about the cert that freeradius is using.
What's odd is that this setup was working a while back. Xsupplicant(linux) seems quite happy about my server certificate.
Luke Diamand
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
