I thought that was true. And I did that, with no change. So it must be something in Freeradius/Certs.
Hopefully I will discover the little discrepancy that is keeping this from working for me. Does it matter that it is Solaris 2.8? I am running Openssl 0.9.7e, and the latest Freeradius release. -atkinson > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of �ystein G�sdal > Sent: Monday, February 07, 2005 1:57 AM > To: '[email protected]' > Subject: RE: PEAP and "fatal unknown_ca" > > > The easiest way to find out if it's the server it is > something wrong with, just turn off validate server > certificate under the 802.1x settings in WindowsXP. If you > are running PEAP, you don't need certificates on the client, > just on the server. > > - �ystein > > > > -----Original Message----- > > From: Dudley Atkinson [mailto:[EMAIL PROTECTED] > > Sent: 7. februar 2005 06:44 > > To: [email protected] > > Subject: RE: PEAP and "fatal unknown_ca" > > > > Thank you for the ideas. > > > > I think that I have the right root.pem file in my config. I > > will double-check that things match, but I've checked it many > > times already. > > > > Is there any way to use openssl to inspect the root.pem? Or > > cacert.pem? > > What commands can I enter to check that is is a valid pem > > file containing the CA certificate? > > > > Also, when I made the certs with the CA.all script, I got > > both a demoCA/cacert.pem and a root.pem file as a result. > > I've tried using both for the root certificate in freeradius, > > and neither seems to work right. > > Which is THE right one to use? The examples and config > > templates made me think cacert.pem was right. > > > > And I did go and install the certificate in XP, with no > > change in behavior. > > The error looks like something on the Freeradius side? Or is > > this error reflecting a problem on the XP side? > > > > > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal > > unknown_ca TLS > > > > Alert read:fatal:unknown CA > > > > TLS_accept:failed in SSLv3 read client certificate A > > > > 24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 > > > > I've followed the recipes and I'm still not savvy enough to > > know the way out.... > > > > -atkinson > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > Artur Hecker > > > Sent: Sunday, February 06, 2005 6:12 PM > > > To: [email protected] > > > Subject: Re: PEAP and "fatal unknown_ca" > > > > > > > > > hi > > > > > > > > > Dudley Atkinson wrote: > > > > I have followed the instructions for creating self-signed server > > > > certificates, and I think I have the config files and certs > > > aligned. > > > > But I must have something wrong, because when my supplicant > > > (Aironet > > > > 1200) gets a request for PEAP from a Windows XP system, > > the radiusd > > > > debug shows "fatal unknown_ca" when in the last phase > of the PEAP > > > > authentication. > > > > > > hmmm, sorry to be a nitpicker - but the supplicant _is_ > > windows XP. i > > > suppose, the aironet 1200 is an access point, so it would be an > > > authenticator then. > > > > > > > > > > Is there some little gotcha I'm missing? > > > > > > > > Is the setup for PEAP different than EAP/TLS? > > > > > > > > Do I have to install something on the client (I thought > > > not, since it > > > > is PEAP). > > > > > > i personally think that the root.pem file which your > > radiusd is using > > > does not contain a correct certificate of the used CA. make sure: > > > - this file exists and is configured as such in the eap.conf / > > > radiusd.conf > > > - freeradius finds and reads this file (file permissions, > > paths, etc.) > > > - this file and its content are valid (i.e. it's a valid pem file > > > containing the CA certificate). > > > > > > the used CA has to be known to the server at the moment > > when it starts > > > TLS communications. > > > > > > btw it is the same for the supplicant (your Windows XP) - i would > > > suggest that you install the certificate. Windows used to kindly > > > propose the installation of a new (unknown) CA certificate > > but i'm not > > > quite sure it still works as expected and it definitly > depends on a > > > lot of other parameters. so just preinstall it locally. > > > > > > > > > > > > ciao > > > artur > > > > > > > > > > All help is appreciated; debug follows. > > > > > > > > Thanks! > > > > Atkinson > > > > > > > > ad_recv: Access-Request packet from host 10.0.1.3:21645, > > > id=151, length=180 > > > > User-Name = "atkinsondu" > > > > Framed-MTU = 1400 > > > > Called-Station-Id = "000f.9060.c140" > > > > Calling-Station-Id = "0040.96a2.8ef1" > > > > Cisco-AVPair = "ssid=eap-only" > > > > Service-Type = Login-User > > > > Message-Authenticator = > 0xb7c8fd67a6fa635c21df964a0cbd2af5 > > > > EAP-Message = 0x020300061900 > > > > NAS-Port-Type = Wireless-802.11 > > > > Cisco-NAS-Port = "369" > > > > NAS-Port = 369 > > > > State = 0x21f31e4903806b3d170350fcd4a4a82a > > > > NAS-IP-Address = 10.0.1.3 > > > > NAS-Identifier = "wifi-ap1" > > > > Processing the authorize section of radiusd.conf > > > > modcall: entering group authorize for request 2 > > > > modcall[authorize]: module "preprocess" returns ok > for request 2 > > > > rlm_realm: No '\' in User-Name = "atkinsondu", looking > > > up realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "ntdomain" returns noop > for request 2 > > > > rlm_realm: No '@' in User-Name = "atkinsondu", looking > > > up realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "suffix" returns noop for request 2 > > > > rlm_eap: EAP packet type response id 3 length 6 > > > > rlm_eap: No EAP Start, assuming it's an on-going EAP > > conversation > > > > modcall[authorize]: module "eap" returns updated for request 2 > > > > modcall: entering group group for request 2 > > > > rlm_dbm: try open database file: > > /opt/local/etc/raddb/database/users > > > > rlm_dbm: Call parse_user: > > > > sm_parse_user.c: check for loops > > > > Add atkinsondu to user list > > > > rlm_dbm: User <atkinsondu> not foud in database > > > > Remove atkinsondu from user list > > > > sm_parse_user.c: check for loops > > > > Add DEFAULT to user list > > > > rlm_dbm: User <DEFAULT> not foud in database > > > > Remove DEFAULT from user list > > > > modcall[authorize]: module "dbm" returns notfound for > request 2 > > > > modcall: group group returns notfound for request 2 > > > > modcall: group authorize returns updated for request 2 > > > > rad_check_password: Found Auth-Type EAP > > > > auth: type "EAP" > > > > Processing the authenticate section of radiusd.conf > > > > modcall: entering group authenticate for request 2 > > > > rlm_eap: Request found, released from the list > > > > rlm_eap: EAP/peap > > > > rlm_eap: processing type peap > > > > rlm_eap_peap: Authenticate > > > > rlm_eap_tls: processing TLS > > > > rlm_eap_tls: Received EAP-TLS ACK message > > > > rlm_eap_tls: ack handshake fragment handler > > > > eaptls_verify returned 1 > > > > eaptls_process returned 13 > > > > rlm_eap_peap: EAPTLS_HANDLED > > > > modcall[authenticate]: module "eap" returns handled for > > request 2 > > > > modcall: group authenticate returns handled for request > 2 Sending > > > > Access-Challenge of id 151 to 10.0.1.3:21645 > > > > EAP-Message = > > > > > > > 0x010403cc19005553311230100603550408130954656e6e65737365653112 > > > 30100603550407 > > > > > > > 13094f616b205269646765310d300b060355040a130453414943310f300d06 > > > 0355040b13064e > > > > > > > 4149534d43311830160603550403130f4e41535652313820526f6f74204341 > > > 311a301806092a > > > > > > > 864886f70d010901160b746d68406e61737672313830819f300d06092a8648 > > > 86f70d01010105 > > > > > > > 0003818d0030818902818100f53d6206d775bd27ecc7f41358590f88eba011 > > > 4424ccfe8c75a1 > > > > > > > 735668a6506934cb4d1bae177cb9d130ce0b203d21ef9f5ff1eba850e6f1b8 > > > 0fa9b5162975f0 > > > > 0e4ac2fc4b0b0fe2ae8a6bef2a2651abc1ede8e72cad24e2210e > > > > EAP-Message = > > > > > > > 0xee6b46998af153a26274412e8e63816ecaa5bc997bf18ffaef66d42b98c0 > > > deb6f4db1ba0b0 > > > > > > > 150203010001a381f33081f0301d0603551d0e04160414552260d6dd4cebad > > > e9a0adacf4733a > > > > > > > bee5640ca33081c00603551d230481b83081b58014552260d6dd4cebade9a0 > > > adacf4733abee5 > > > > > > > 640ca3a18191a4818e30818b310b3009060355040613025553311230100603 > > > 55040813095465 > > > > > > > 6e6e657373656531123010060355040713094f616b205269646765310d300b > > > 060355040a1304 > > > > > > > 53414943310f300d060355040b13064e4149534d4331183016060355040313 > > > 0f4e4153565231 > > > > 3820526f6f74204341311a301806092a864886f70d010901160b > > > > EAP-Message = > > > > > > > 0x746d68406e617376723138820900aa339d443f523340300c0603551d1304 > > > 0530030101ff30 > > > > > > > 0d06092a864886f70d010104050003818100bd318788d5775b1446536c2cab > > > e5031b72131346 > > > > > > > 177a421c930f4ffbf36ba1d516789335f29e984575ab736f350adecf1e437f > > > c5f2a4b3be0a03 > > > > > > > 6c90abc5ac4689237bafc1cf0130ede334bacec4689fbacd52cb8f7c6412ef > > > a28c96827164ce > > > > > > > 8f6dcbb4d8d09c19e8fdc71cad56d2d665e02c6dfdaab49b83fdc2de3d6e47 > > > 4c160301010d0c > > > > > > > 0001090040d3706dbd315a1e6c6d31d7360a14069120fd6cd0de306332ac00 > > > d88280dbd81175 > > > > f1462cee6e4c0e58aa60e0190906edbf214e2bb7024043da0b66 > > > > EAP-Message = > > > > > > > 0xba7b8c5dc300010500404e9adcd06469e95f46852f53d7befb50802a7164 > > > 4dd633a501f6b4 > > > > > > > 82f01857af8a6de4056b27b1a9cbc8c9fc42a67354f698201690fd1d8bb8b5 > > > 8d415690d0c700 > > > > > > > 80d7c0706283d95cd56c5448bc3450fc6cbc7b63366fee4fbe37b5346453c4 > > > 2c2aa3eb857afe > > > > > > > a3ba215cecfaa471487fe7363549984a4b850b7e80601daa5c23e1baaaf727 > > > 964cca749eb0c1 > > > > > > > 40d7e0967915c072c264ed51930825ab6020d45562b1c2e947933ef885759c > > > 0ac83611621d6c > > > > 0b31c0f9cc885fb587317227c972eb16030100040e000000 > > > > Message-Authenticator = > 0x00000000000000000000000000000000 > > > > State = 0x36cdeb1e4af1060e78512ffdc9c31264 > > > > Finished request 2 > > > > Going to the next request > > > > Waking up in 6 seconds... > > > > rad_recv: Access-Request packet from host 10.0.1.3:21645, > > > id=152, length=191 > > > > User-Name = "atkinsondu" > > > > Framed-MTU = 1400 > > > > Called-Station-Id = "000f.9060.c140" > > > > Calling-Station-Id = "0040.96a2.8ef1" > > > > Cisco-AVPair = "ssid=eap-only" > > > > Service-Type = Login-User > > > > Message-Authenticator = > 0xfeb6cd762306cd1a886420d036082cc8 > > > > EAP-Message = 0x0204001119800000000715030100020230 > > > > NAS-Port-Type = Wireless-802.11 > > > > Cisco-NAS-Port = "369" > > > > NAS-Port = 369 > > > > State = 0x36cdeb1e4af1060e78512ffdc9c31264 > > > > NAS-IP-Address = 10.0.1.3 > > > > NAS-Identifier = "wifi-ap1" > > > > Processing the authorize section of radiusd.conf > > > > modcall: entering group authorize for request 3 > > > > modcall[authorize]: module "preprocess" returns ok > for request 3 > > > > rlm_realm: No '\' in User-Name = "atkinsondu", looking > > > up realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "ntdomain" returns noop > for request 3 > > > > rlm_realm: No '@' in User-Name = "atkinsondu", looking > > > up realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "suffix" returns noop for request 3 > > > > rlm_eap: EAP packet type response id 4 length 17 > > > > rlm_eap: No EAP Start, assuming it's an on-going EAP > > conversation > > > > modcall[authorize]: module "eap" returns updated for request 3 > > > > modcall: entering group group for request 3 > > > > rlm_dbm: try open database file: > > > /opt/local/etc/raddb/database/users > > > > rlm_dbm: Call parse_user: > > > > sm_parse_user.c: check for loops > > > > Add atkinsondu to user list > > > > rlm_dbm: User <atkinsondu> not foud in database > > > > Remove atkinsondu from user list > > > > sm_parse_user.c: check for loops > > > > Add DEFAULT to user list > > > > rlm_dbm: User <DEFAULT> not foud in database > > > > Remove DEFAULT from user list > > > > modcall[authorize]: module "dbm" returns notfound for > request 3 > > > > modcall: group group returns notfound for request 3 > > > > modcall: group authorize returns updated for request 3 > > > > rad_check_password: Found Auth-Type EAP > > > > auth: type "EAP" > > > > Processing the authenticate section of radiusd.conf > > > > modcall: entering group authenticate for request 3 > > > > rlm_eap: Request found, released from the list > > > > rlm_eap: EAP/peap > > > > rlm_eap: processing type peap > > > > rlm_eap_peap: Authenticate > > > > rlm_eap_tls: processing TLS > > > > rlm_eap_tls: Length Included > > > > eaptls_verify returned 11 > > > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal > unknown_ca > > > > TLS Alert read:fatal:unknown CA > > > > TLS_accept:failed in SSLv3 read client certificate A > > > > 24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 > > > alert unknown > > > > ca:s3_pkt.c:1052:SSL alert number 48 24317:error:140940E5:SSL > > > > routines:SSL3_READ_BYTES:ssl handshake > > > > failure:s3_pkt.c:837: > > > > rlm_eap_tls: SSL_read failed in a system call (-1), TLS > > > session fails. > > > > In SSL Handshake Phase > > > > In SSL Accept mode > > > > rlm_eap_tls: BIO_read failed in a system call (-1), TLS > > > session fails. > > > > eaptls_process returned 13 > > > > rlm_eap_peap: EAPTLS_HANDLED > > > > rlm_eap: Freeing handler > > > > modcall[authenticate]: module "eap" returns reject > for request 3 > > > > modcall: group authenticate returns reject for request 3 > > > > auth: Failed to validate the user. > > > > Delaying request 3 for 1 seconds > > > > Finished request 3 > > > > Going to the next request > > > > Waking up in 6 seconds... > > > > rad_recv: Access-Request packet from host 10.0.1.3:21645, > > > id=152, length=191 > > > > Sending Access-Reject of id 152 to 10.0.1.3:21645 > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > -- > > > ___________________________________________________________ > > > Artur Hecker > > > http://www.enst.fr/~hecker > > > ENST Paris ________________________________________________ > > > > > > > > > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
