The easiest way to find out if it's the server it is something wrong with, just turn off validate server certificate under the 802.1x settings in WindowsXP. If you are running PEAP, you don't need certificates on the client, just on the server.
- �ystein > -----Original Message----- > From: Dudley Atkinson [mailto:[EMAIL PROTECTED] > Sent: 7. februar 2005 06:44 > To: [email protected] > Subject: RE: PEAP and "fatal unknown_ca" > > Thank you for the ideas. > > I think that I have the right root.pem file in my config. I > will double-check that things match, but I've checked it many > times already. > > Is there any way to use openssl to inspect the root.pem? Or > cacert.pem? > What commands can I enter to check that is is a valid pem > file containing the CA certificate? > > Also, when I made the certs with the CA.all script, I got > both a demoCA/cacert.pem and a root.pem file as a result. > I've tried using both for the root certificate in freeradius, > and neither seems to work right. > Which is THE right one to use? The examples and config > templates made me think cacert.pem was right. > > And I did go and install the certificate in XP, with no > change in behavior. > The error looks like something on the Freeradius side? Or is > this error reflecting a problem on the XP side? > > > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal > unknown_ca TLS > > > Alert read:fatal:unknown CA > > > TLS_accept:failed in SSLv3 read client certificate A > > > 24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 > > I've followed the recipes and I'm still not savvy enough to > know the way out.... > > -atkinson > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Artur Hecker > > Sent: Sunday, February 06, 2005 6:12 PM > > To: [email protected] > > Subject: Re: PEAP and "fatal unknown_ca" > > > > > > hi > > > > > > Dudley Atkinson wrote: > > > I have followed the instructions for creating self-signed server > > > certificates, and I think I have the config files and certs > > aligned. > > > But I must have something wrong, because when my supplicant > > (Aironet > > > 1200) gets a request for PEAP from a Windows XP system, > the radiusd > > > debug shows "fatal unknown_ca" when in the last phase of the PEAP > > > authentication. > > > > hmmm, sorry to be a nitpicker - but the supplicant _is_ > windows XP. i > > suppose, the aironet 1200 is an access point, so it would be an > > authenticator then. > > > > > > > Is there some little gotcha I'm missing? > > > > > > Is the setup for PEAP different than EAP/TLS? > > > > > > Do I have to install something on the client (I thought > > not, since it > > > is PEAP). > > > > i personally think that the root.pem file which your > radiusd is using > > does not contain a correct certificate of the used CA. make sure: > > - this file exists and is configured as such in the eap.conf / > > radiusd.conf > > - freeradius finds and reads this file (file permissions, > paths, etc.) > > - this file and its content are valid (i.e. it's a valid pem file > > containing the CA certificate). > > > > the used CA has to be known to the server at the moment > when it starts > > TLS communications. > > > > btw it is the same for the supplicant (your Windows XP) - i would > > suggest that you install the certificate. Windows used to kindly > > propose the installation of a new (unknown) CA certificate > but i'm not > > quite sure it still works as expected and it definitly depends on a > > lot of other parameters. so just preinstall it locally. > > > > > > > > ciao > > artur > > > > > > > All help is appreciated; debug follows. > > > > > > Thanks! > > > Atkinson > > > > > > ad_recv: Access-Request packet from host 10.0.1.3:21645, > > id=151, length=180 > > > User-Name = "atkinsondu" > > > Framed-MTU = 1400 > > > Called-Station-Id = "000f.9060.c140" > > > Calling-Station-Id = "0040.96a2.8ef1" > > > Cisco-AVPair = "ssid=eap-only" > > > Service-Type = Login-User > > > Message-Authenticator = 0xb7c8fd67a6fa635c21df964a0cbd2af5 > > > EAP-Message = 0x020300061900 > > > NAS-Port-Type = Wireless-802.11 > > > Cisco-NAS-Port = "369" > > > NAS-Port = 369 > > > State = 0x21f31e4903806b3d170350fcd4a4a82a > > > NAS-IP-Address = 10.0.1.3 > > > NAS-Identifier = "wifi-ap1" > > > Processing the authorize section of radiusd.conf > > > modcall: entering group authorize for request 2 > > > modcall[authorize]: module "preprocess" returns ok for request 2 > > > rlm_realm: No '\' in User-Name = "atkinsondu", looking > > up realm NULL > > > rlm_realm: No such realm "NULL" > > > modcall[authorize]: module "ntdomain" returns noop for request 2 > > > rlm_realm: No '@' in User-Name = "atkinsondu", looking > > up realm NULL > > > rlm_realm: No such realm "NULL" > > > modcall[authorize]: module "suffix" returns noop for request 2 > > > rlm_eap: EAP packet type response id 3 length 6 > > > rlm_eap: No EAP Start, assuming it's an on-going EAP > conversation > > > modcall[authorize]: module "eap" returns updated for request 2 > > > modcall: entering group group for request 2 > > > rlm_dbm: try open database file: > /opt/local/etc/raddb/database/users > > > rlm_dbm: Call parse_user: > > > sm_parse_user.c: check for loops > > > Add atkinsondu to user list > > > rlm_dbm: User <atkinsondu> not foud in database > > > Remove atkinsondu from user list > > > sm_parse_user.c: check for loops > > > Add DEFAULT to user list > > > rlm_dbm: User <DEFAULT> not foud in database > > > Remove DEFAULT from user list > > > modcall[authorize]: module "dbm" returns notfound for request 2 > > > modcall: group group returns notfound for request 2 > > > modcall: group authorize returns updated for request 2 > > > rad_check_password: Found Auth-Type EAP > > > auth: type "EAP" > > > Processing the authenticate section of radiusd.conf > > > modcall: entering group authenticate for request 2 > > > rlm_eap: Request found, released from the list > > > rlm_eap: EAP/peap > > > rlm_eap: processing type peap > > > rlm_eap_peap: Authenticate > > > rlm_eap_tls: processing TLS > > > rlm_eap_tls: Received EAP-TLS ACK message > > > rlm_eap_tls: ack handshake fragment handler > > > eaptls_verify returned 1 > > > eaptls_process returned 13 > > > rlm_eap_peap: EAPTLS_HANDLED > > > modcall[authenticate]: module "eap" returns handled for > request 2 > > > modcall: group authenticate returns handled for request 2 > > > Sending Access-Challenge of id 151 to 10.0.1.3:21645 > > > EAP-Message = > > > > > 0x010403cc19005553311230100603550408130954656e6e65737365653112 > > 30100603550407 > > > > > 13094f616b205269646765310d300b060355040a130453414943310f300d06 > > 0355040b13064e > > > > > 4149534d43311830160603550403130f4e41535652313820526f6f74204341 > > 311a301806092a > > > > > 864886f70d010901160b746d68406e61737672313830819f300d06092a8648 > > 86f70d01010105 > > > > > 0003818d0030818902818100f53d6206d775bd27ecc7f41358590f88eba011 > > 4424ccfe8c75a1 > > > > > 735668a6506934cb4d1bae177cb9d130ce0b203d21ef9f5ff1eba850e6f1b8 > > 0fa9b5162975f0 > > > 0e4ac2fc4b0b0fe2ae8a6bef2a2651abc1ede8e72cad24e2210e > > > EAP-Message = > > > > > 0xee6b46998af153a26274412e8e63816ecaa5bc997bf18ffaef66d42b98c0 > > deb6f4db1ba0b0 > > > > > 150203010001a381f33081f0301d0603551d0e04160414552260d6dd4cebad > > e9a0adacf4733a > > > > > bee5640ca33081c00603551d230481b83081b58014552260d6dd4cebade9a0 > > adacf4733abee5 > > > > > 640ca3a18191a4818e30818b310b3009060355040613025553311230100603 > > 55040813095465 > > > > > 6e6e657373656531123010060355040713094f616b205269646765310d300b > > 060355040a1304 > > > > > 53414943310f300d060355040b13064e4149534d4331183016060355040313 > > 0f4e4153565231 > > > 3820526f6f74204341311a301806092a864886f70d010901160b > > > EAP-Message = > > > > > 0x746d68406e617376723138820900aa339d443f523340300c0603551d1304 > > 0530030101ff30 > > > > > 0d06092a864886f70d010104050003818100bd318788d5775b1446536c2cab > > e5031b72131346 > > > > > 177a421c930f4ffbf36ba1d516789335f29e984575ab736f350adecf1e437f > > c5f2a4b3be0a03 > > > > > 6c90abc5ac4689237bafc1cf0130ede334bacec4689fbacd52cb8f7c6412ef > > a28c96827164ce > > > > > 8f6dcbb4d8d09c19e8fdc71cad56d2d665e02c6dfdaab49b83fdc2de3d6e47 > > 4c160301010d0c > > > > > 0001090040d3706dbd315a1e6c6d31d7360a14069120fd6cd0de306332ac00 > > d88280dbd81175 > > > f1462cee6e4c0e58aa60e0190906edbf214e2bb7024043da0b66 > > > EAP-Message = > > > > > 0xba7b8c5dc300010500404e9adcd06469e95f46852f53d7befb50802a7164 > > 4dd633a501f6b4 > > > > > 82f01857af8a6de4056b27b1a9cbc8c9fc42a67354f698201690fd1d8bb8b5 > > 8d415690d0c700 > > > > > 80d7c0706283d95cd56c5448bc3450fc6cbc7b63366fee4fbe37b5346453c4 > > 2c2aa3eb857afe > > > > > a3ba215cecfaa471487fe7363549984a4b850b7e80601daa5c23e1baaaf727 > > 964cca749eb0c1 > > > > > 40d7e0967915c072c264ed51930825ab6020d45562b1c2e947933ef885759c > > 0ac83611621d6c > > > 0b31c0f9cc885fb587317227c972eb16030100040e000000 > > > Message-Authenticator = 0x00000000000000000000000000000000 > > > State = 0x36cdeb1e4af1060e78512ffdc9c31264 > > > Finished request 2 > > > Going to the next request > > > Waking up in 6 seconds... > > > rad_recv: Access-Request packet from host 10.0.1.3:21645, > > id=152, length=191 > > > User-Name = "atkinsondu" > > > Framed-MTU = 1400 > > > Called-Station-Id = "000f.9060.c140" > > > Calling-Station-Id = "0040.96a2.8ef1" > > > Cisco-AVPair = "ssid=eap-only" > > > Service-Type = Login-User > > > Message-Authenticator = 0xfeb6cd762306cd1a886420d036082cc8 > > > EAP-Message = 0x0204001119800000000715030100020230 > > > NAS-Port-Type = Wireless-802.11 > > > Cisco-NAS-Port = "369" > > > NAS-Port = 369 > > > State = 0x36cdeb1e4af1060e78512ffdc9c31264 > > > NAS-IP-Address = 10.0.1.3 > > > NAS-Identifier = "wifi-ap1" > > > Processing the authorize section of radiusd.conf > > > modcall: entering group authorize for request 3 > > > modcall[authorize]: module "preprocess" returns ok for request 3 > > > rlm_realm: No '\' in User-Name = "atkinsondu", looking > > up realm NULL > > > rlm_realm: No such realm "NULL" > > > modcall[authorize]: module "ntdomain" returns noop for request 3 > > > rlm_realm: No '@' in User-Name = "atkinsondu", looking > > up realm NULL > > > rlm_realm: No such realm "NULL" > > > modcall[authorize]: module "suffix" returns noop for request 3 > > > rlm_eap: EAP packet type response id 4 length 17 > > > rlm_eap: No EAP Start, assuming it's an on-going EAP > conversation > > > modcall[authorize]: module "eap" returns updated for request 3 > > > modcall: entering group group for request 3 > > > rlm_dbm: try open database file: > > /opt/local/etc/raddb/database/users > > > rlm_dbm: Call parse_user: > > > sm_parse_user.c: check for loops > > > Add atkinsondu to user list > > > rlm_dbm: User <atkinsondu> not foud in database > > > Remove atkinsondu from user list > > > sm_parse_user.c: check for loops > > > Add DEFAULT to user list > > > rlm_dbm: User <DEFAULT> not foud in database > > > Remove DEFAULT from user list > > > modcall[authorize]: module "dbm" returns notfound for request 3 > > > modcall: group group returns notfound for request 3 > > > modcall: group authorize returns updated for request 3 > > > rad_check_password: Found Auth-Type EAP > > > auth: type "EAP" > > > Processing the authenticate section of radiusd.conf > > > modcall: entering group authenticate for request 3 > > > rlm_eap: Request found, released from the list > > > rlm_eap: EAP/peap > > > rlm_eap: processing type peap > > > rlm_eap_peap: Authenticate > > > rlm_eap_tls: processing TLS > > > rlm_eap_tls: Length Included > > > eaptls_verify returned 11 > > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca > > > TLS Alert read:fatal:unknown CA > > > TLS_accept:failed in SSLv3 read client certificate A > > > 24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 > > alert unknown > > > ca:s3_pkt.c:1052:SSL alert number 48 > > > 24317:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake > > > failure:s3_pkt.c:837: > > > rlm_eap_tls: SSL_read failed in a system call (-1), TLS > > session fails. > > > In SSL Handshake Phase > > > In SSL Accept mode > > > rlm_eap_tls: BIO_read failed in a system call (-1), TLS > > session fails. > > > eaptls_process returned 13 > > > rlm_eap_peap: EAPTLS_HANDLED > > > rlm_eap: Freeing handler > > > modcall[authenticate]: module "eap" returns reject for request 3 > > > modcall: group authenticate returns reject for request 3 > > > auth: Failed to validate the user. > > > Delaying request 3 for 1 seconds > > > Finished request 3 > > > Going to the next request > > > Waking up in 6 seconds... > > > rad_recv: Access-Request packet from host 10.0.1.3:21645, > > id=152, length=191 > > > Sending Access-Reject of id 152 to 10.0.1.3:21645 > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > > ___________________________________________________________ > > Artur Hecker > > http://www.enst.fr/~hecker > > ENST Paris ________________________________________________ > > > > > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
