I have done a lot of checking. Could someone look over my shoulder and see
what might be wrong?
Here is some data.
-------- from eap.conf ----------
tls {
private_key_password = naismc-pwd
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
#CA_path = ${raddbdir}/certs/demoCA
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
# fragment_size = 1024
# include_length = yes
# check_crl = yes
# check_cert_cn = %{User-Name}
}
------- some openssl commands: [EMAIL PROTECTED]:/etc/raddb/certs# openssl
verify -CAfile /etc/raddb/certs/root.pem /etc/raddb/certs/root.pem
/etc/raddb/certs/root.pem: OK
[EMAIL PROTECTED]:/etc/raddb/certs# openssl verify -CAfile
/etc/raddb/certs/root.pem /etc/raddb/certs/cert-srv.pem
/etc/raddb/certs/cert-srv.pem:
/C=US/ST=mystate/L=mytown/O=company/OU=hostname/CN=Server Root
Certificate/[EMAIL PROTECTED]
error 20 at 0 depth lookup:unable to get local issuer certificate
-----------------------------
I'm wondering if this "error 20 at 0 depth lookup" that occurs when I
attempt to verify my certificate is related to the problem of the
"unknown_ca" seen when I attempt PEAP from the aironet?
These certs were made with the certs.sh script shipped with Freeradius, and
the certs.sh ran with a minor modification. Do I need to install the
root.pem in the openssl configuration somewhere so that it recognizes it or
finds it as a CA?
Thanks!
atkinson
> -----Original Message-----
> From: Dudley Atkinson [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 07, 2005 7:38 AM
> To: '[email protected]'
> Subject: RE: PEAP and "fatal unknown_ca"
>
>
> I thought that was true. And I did that, with no change. So
> it must be something in Freeradius/Certs.
>
> Hopefully I will discover the little discrepancy that is
> keeping this from working for me.
>
> Does it matter that it is Solaris 2.8? I am running Openssl
> 0.9.7e, and the latest Freeradius release.
>
> -atkinson
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
> > Behalf Of �ystein G�sdal
> > Sent: Monday, February 07, 2005 1:57 AM
> > To: '[email protected]'
> > Subject: RE: PEAP and "fatal unknown_ca"
> >
> >
> > The easiest way to find out if it's the server it is something wrong
> > with, just turn off validate server certificate under the 802.1x
> > settings in WindowsXP. If you are running PEAP, you don't need
> > certificates on the client, just on the server.
> >
> > - �ystein
> >
> >
> > > -----Original Message-----
> > > From: Dudley Atkinson [mailto:[EMAIL PROTECTED]
> > > Sent: 7. februar 2005 06:44
> > > To: [email protected]
> > > Subject: RE: PEAP and "fatal unknown_ca"
> > >
> > > Thank you for the ideas.
> > >
> > > I think that I have the right root.pem file in my config. I will
> > > double-check that things match, but I've checked it many times
> > > already.
> > >
> > > Is there any way to use openssl to inspect the root.pem? Or
> > > cacert.pem? What commands can I enter to check that is is a valid
> > > pem file containing the CA certificate?
> > >
> > > Also, when I made the certs with the CA.all script, I got both a
> > > demoCA/cacert.pem and a root.pem file as a result.
> > > I've tried using both for the root certificate in freeradius,
> > > and neither seems to work right.
> > > Which is THE right one to use? The examples and config
> > > templates made me think cacert.pem was right.
> > >
> > > And I did go and install the certificate in XP, with no change in
> > > behavior. The error looks like something on the
> Freeradius side? Or
> > > is this error reflecting a problem on the XP side?
> > >
> > > > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal
> > > unknown_ca TLS
> > > > > Alert read:fatal:unknown CA
> > > > > TLS_accept:failed in SSLv3 read client certificate A
> > > > > 24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> > >
> > > I've followed the recipes and I'm still not savvy enough
> to know the
> > > way out....
> > >
> > > -atkinson
> > >
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On
> Behalf Of
> > > > Artur Hecker
> > > > Sent: Sunday, February 06, 2005 6:12 PM
> > > > To: [email protected]
> > > > Subject: Re: PEAP and "fatal unknown_ca"
> > > >
> > > >
> > > > hi
> > > >
> > > >
> > > > Dudley Atkinson wrote:
> > > > > I have followed the instructions for creating
> self-signed server
> > > > > certificates, and I think I have the config files and certs
> > > > aligned.
> > > > > But I must have something wrong, because when my supplicant
> > > > (Aironet
> > > > > 1200) gets a request for PEAP from a Windows XP system,
> > > the radiusd
> > > > > debug shows "fatal unknown_ca" when in the last phase
> > of the PEAP
> > > > > authentication.
> > > >
> > > > hmmm, sorry to be a nitpicker - but the supplicant _is_
> > > windows XP. i
> > > > suppose, the aironet 1200 is an access point, so it would be an
> > > > authenticator then.
> > > >
> > > >
> > > > > Is there some little gotcha I'm missing?
> > > > >
> > > > > Is the setup for PEAP different than EAP/TLS?
> > > > >
> > > > > Do I have to install something on the client (I thought
> > > > not, since it
> > > > > is PEAP).
> > > >
> > > > i personally think that the root.pem file which your
> > > radiusd is using
> > > > does not contain a correct certificate of the used CA.
> make sure:
> > > > - this file exists and is configured as such in the eap.conf /
> > > > radiusd.conf
> > > > - freeradius finds and reads this file (file permissions,
> > > paths, etc.)
> > > > - this file and its content are valid (i.e. it's a
> valid pem file
> > > > containing the CA certificate).
> > > >
> > > > the used CA has to be known to the server at the moment
> > > when it starts
> > > > TLS communications.
> > > >
> > > > btw it is the same for the supplicant (your Windows XP)
> - i would
> > > > suggest that you install the certificate. Windows used
> to kindly
> > > > propose the installation of a new (unknown) CA certificate
> > > but i'm not
> > > > quite sure it still works as expected and it definitly
> > depends on a
> > > > lot of other parameters. so just preinstall it locally.
> > > >
> > > >
> > > >
> > > > ciao
> > > > artur
> > > >
> > > >
> > > > > All help is appreciated; debug follows.
> > > > >
> > > > > Thanks!
> > > > > Atkinson
> > > > >
> > > > > ad_recv: Access-Request packet from host 10.0.1.3:21645,
> > > > id=151, length=180
> > > > > User-Name = "atkinsondu"
> > > > > Framed-MTU = 1400
> > > > > Called-Station-Id = "000f.9060.c140"
> > > > > Calling-Station-Id = "0040.96a2.8ef1"
> > > > > Cisco-AVPair = "ssid=eap-only"
> > > > > Service-Type = Login-User
> > > > > Message-Authenticator =
> > 0xb7c8fd67a6fa635c21df964a0cbd2af5
> > > > > EAP-Message = 0x020300061900
> > > > > NAS-Port-Type = Wireless-802.11
> > > > > Cisco-NAS-Port = "369"
> > > > > NAS-Port = 369
> > > > > State = 0x21f31e4903806b3d170350fcd4a4a82a
> > > > > NAS-IP-Address = 10.0.1.3
> > > > > NAS-Identifier = "wifi-ap1"
> > > > > Processing the authorize section of radiusd.conf
> > > > > modcall: entering group authorize for request 2
> > > > > modcall[authorize]: module "preprocess" returns ok
> > for request 2
> > > > > rlm_realm: No '\' in User-Name = "atkinsondu", looking
> > > > up realm NULL
> > > > > rlm_realm: No such realm "NULL"
> > > > > modcall[authorize]: module "ntdomain" returns noop
> > for request 2
> > > > > rlm_realm: No '@' in User-Name = "atkinsondu", looking
> > > > up realm NULL
> > > > > rlm_realm: No such realm "NULL"
> > > > > modcall[authorize]: module "suffix" returns noop
> for request 2
> > > > > rlm_eap: EAP packet type response id 3 length 6
> > > > > rlm_eap: No EAP Start, assuming it's an on-going EAP
> > > conversation
> > > > > modcall[authorize]: module "eap" returns updated
> for request 2
> > > > > modcall: entering group group for request 2
> > > > > rlm_dbm: try open database file:
> > > /opt/local/etc/raddb/database/users
> > > > > rlm_dbm: Call parse_user:
> > > > > sm_parse_user.c: check for loops
> > > > > Add atkinsondu to user list
> > > > > rlm_dbm: User <atkinsondu> not foud in database Remove
> > > > > atkinsondu from user list
> > > > > sm_parse_user.c: check for loops
> > > > > Add DEFAULT to user list
> > > > > rlm_dbm: User <DEFAULT> not foud in database
> > > > > Remove DEFAULT from user list
> > > > > modcall[authorize]: module "dbm" returns notfound for
> > request 2
> > > > > modcall: group group returns notfound for request 2
> > > > > modcall: group authorize returns updated for request 2
> > > > > rad_check_password: Found Auth-Type EAP
> > > > > auth: type "EAP"
> > > > > Processing the authenticate section of radiusd.conf
> > > > > modcall: entering group authenticate for request 2
> > > > > rlm_eap: Request found, released from the list
> > > > > rlm_eap: EAP/peap
> > > > > rlm_eap: processing type peap
> > > > > rlm_eap_peap: Authenticate
> > > > > rlm_eap_tls: processing TLS
> > > > > rlm_eap_tls: Received EAP-TLS ACK message
> > > > > rlm_eap_tls: ack handshake fragment handler
> > > > > eaptls_verify returned 1
> > > > > eaptls_process returned 13
> > > > > rlm_eap_peap: EAPTLS_HANDLED
> > > > > modcall[authenticate]: module "eap" returns handled for
> > > request 2
> > > > > modcall: group authenticate returns handled for request
> > 2 Sending
> > > > > Access-Challenge of id 151 to 10.0.1.3:21645
> > > > > EAP-Message =
> > > > >
> > > > 0x010403cc19005553311230100603550408130954656e6e65737365653112
> > > > 30100603550407
> > > > >
> > > > 13094f616b205269646765310d300b060355040a130453414943310f300d06
> > > > 0355040b13064e
> > > > >
> > > > 4149534d43311830160603550403130f4e41535652313820526f6f74204341
> > > > 311a301806092a
> > > > >
> > > > 864886f70d010901160b746d68406e61737672313830819f300d06092a8648
> > > > 86f70d01010105
> > > > >
> > > > 0003818d0030818902818100f53d6206d775bd27ecc7f41358590f88eba011
> > > > 4424ccfe8c75a1
> > > > >
> > > > 735668a6506934cb4d1bae177cb9d130ce0b203d21ef9f5ff1eba850e6f1b8
> > > > 0fa9b5162975f0
> > > > > 0e4ac2fc4b0b0fe2ae8a6bef2a2651abc1ede8e72cad24e2210e
> > > > > EAP-Message =
> > > > >
> > > > 0xee6b46998af153a26274412e8e63816ecaa5bc997bf18ffaef66d42b98c0
> > > > deb6f4db1ba0b0
> > > > >
> > > > 150203010001a381f33081f0301d0603551d0e04160414552260d6dd4cebad
> > > > e9a0adacf4733a
> > > > >
> > > > bee5640ca33081c00603551d230481b83081b58014552260d6dd4cebade9a0
> > > > adacf4733abee5
> > > > >
> > > > 640ca3a18191a4818e30818b310b3009060355040613025553311230100603
> > > > 55040813095465
> > > > >
> > > > 6e6e657373656531123010060355040713094f616b205269646765310d300b
> > > > 060355040a1304
> > > > >
> > > > 53414943310f300d060355040b13064e4149534d4331183016060355040313
> > > > 0f4e4153565231
> > > > > 3820526f6f74204341311a301806092a864886f70d010901160b
> > > > > EAP-Message =
> > > > >
> > > > 0x746d68406e617376723138820900aa339d443f523340300c0603551d1304
> > > > 0530030101ff30
> > > > >
> > > > 0d06092a864886f70d010104050003818100bd318788d5775b1446536c2cab
> > > > e5031b72131346
> > > > >
> > > > 177a421c930f4ffbf36ba1d516789335f29e984575ab736f350adecf1e437f
> > > > c5f2a4b3be0a03
> > > > >
> > > > 6c90abc5ac4689237bafc1cf0130ede334bacec4689fbacd52cb8f7c6412ef
> > > > a28c96827164ce
> > > > >
> > > > 8f6dcbb4d8d09c19e8fdc71cad56d2d665e02c6dfdaab49b83fdc2de3d6e47
> > > > 4c160301010d0c
> > > > >
> > > > 0001090040d3706dbd315a1e6c6d31d7360a14069120fd6cd0de306332ac00
> > > > d88280dbd81175
> > > > > f1462cee6e4c0e58aa60e0190906edbf214e2bb7024043da0b66
> > > > > EAP-Message =
> > > > >
> > > > 0xba7b8c5dc300010500404e9adcd06469e95f46852f53d7befb50802a7164
> > > > 4dd633a501f6b4
> > > > >
> > > > 82f01857af8a6de4056b27b1a9cbc8c9fc42a67354f698201690fd1d8bb8b5
> > > > 8d415690d0c700
> > > > >
> > > > 80d7c0706283d95cd56c5448bc3450fc6cbc7b63366fee4fbe37b5346453c4
> > > > 2c2aa3eb857afe
> > > > >
> > > > a3ba215cecfaa471487fe7363549984a4b850b7e80601daa5c23e1baaaf727
> > > > 964cca749eb0c1
> > > > >
> > > > 40d7e0967915c072c264ed51930825ab6020d45562b1c2e947933ef885759c
> > > > 0ac83611621d6c
> > > > > 0b31c0f9cc885fb587317227c972eb16030100040e000000
> > > > > Message-Authenticator =
> > 0x00000000000000000000000000000000
> > > > > State = 0x36cdeb1e4af1060e78512ffdc9c31264
> > > > > Finished request 2
> > > > > Going to the next request
> > > > > Waking up in 6 seconds...
> > > > > rad_recv: Access-Request packet from host 10.0.1.3:21645,
> > > > id=152, length=191
> > > > > User-Name = "atkinsondu"
> > > > > Framed-MTU = 1400
> > > > > Called-Station-Id = "000f.9060.c140"
> > > > > Calling-Station-Id = "0040.96a2.8ef1"
> > > > > Cisco-AVPair = "ssid=eap-only"
> > > > > Service-Type = Login-User
> > > > > Message-Authenticator =
> > 0xfeb6cd762306cd1a886420d036082cc8
> > > > > EAP-Message = 0x0204001119800000000715030100020230
> > > > > NAS-Port-Type = Wireless-802.11
> > > > > Cisco-NAS-Port = "369"
> > > > > NAS-Port = 369
> > > > > State = 0x36cdeb1e4af1060e78512ffdc9c31264
> > > > > NAS-IP-Address = 10.0.1.3
> > > > > NAS-Identifier = "wifi-ap1"
> > > > > Processing the authorize section of radiusd.conf
> > > > > modcall: entering group authorize for request 3
> > > > > modcall[authorize]: module "preprocess" returns ok
> > for request 3
> > > > > rlm_realm: No '\' in User-Name = "atkinsondu", looking
> > > > up realm NULL
> > > > > rlm_realm: No such realm "NULL"
> > > > > modcall[authorize]: module "ntdomain" returns noop
> > for request 3
> > > > > rlm_realm: No '@' in User-Name = "atkinsondu", looking
> > > > up realm NULL
> > > > > rlm_realm: No such realm "NULL"
> > > > > modcall[authorize]: module "suffix" returns noop
> for request 3
> > > > > rlm_eap: EAP packet type response id 4 length 17
> > > > > rlm_eap: No EAP Start, assuming it's an on-going EAP
> > > conversation
> > > > > modcall[authorize]: module "eap" returns updated
> for request 3
> > > > > modcall: entering group group for request 3
> > > > > rlm_dbm: try open database file:
> > > > /opt/local/etc/raddb/database/users
> > > > > rlm_dbm: Call parse_user:
> > > > > sm_parse_user.c: check for loops
> > > > > Add atkinsondu to user list
> > > > > rlm_dbm: User <atkinsondu> not foud in database Remove
> > > > > atkinsondu from user list
> > > > > sm_parse_user.c: check for loops
> > > > > Add DEFAULT to user list
> > > > > rlm_dbm: User <DEFAULT> not foud in database
> > > > > Remove DEFAULT from user list
> > > > > modcall[authorize]: module "dbm" returns notfound for
> > request 3
> > > > > modcall: group group returns notfound for request 3
> > > > > modcall: group authorize returns updated for request 3
> > > > > rad_check_password: Found Auth-Type EAP
> > > > > auth: type "EAP"
> > > > > Processing the authenticate section of radiusd.conf
> > > > > modcall: entering group authenticate for request 3
> > > > > rlm_eap: Request found, released from the list
> > > > > rlm_eap: EAP/peap
> > > > > rlm_eap: processing type peap
> > > > > rlm_eap_peap: Authenticate
> > > > > rlm_eap_tls: processing TLS
> > > > > rlm_eap_tls: Length Included
> > > > > eaptls_verify returned 11
> > > > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal
> > unknown_ca
> > > > > TLS Alert read:fatal:unknown CA
> > > > > TLS_accept:failed in SSLv3 read client certificate A
> > > > > 24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> > > > alert unknown
> > > > > ca:s3_pkt.c:1052:SSL alert number 48 24317:error:140940E5:SSL
> > > > > routines:SSL3_READ_BYTES:ssl handshake
> > > > > failure:s3_pkt.c:837:
> > > > > rlm_eap_tls: SSL_read failed in a system call (-1), TLS
> > > > session fails.
> > > > > In SSL Handshake Phase
> > > > > In SSL Accept mode
> > > > > rlm_eap_tls: BIO_read failed in a system call (-1), TLS
> > > > session fails.
> > > > > eaptls_process returned 13
> > > > > rlm_eap_peap: EAPTLS_HANDLED
> > > > > rlm_eap: Freeing handler
> > > > > modcall[authenticate]: module "eap" returns reject
> > for request 3
> > > > > modcall: group authenticate returns reject for request 3
> > > > > auth: Failed to validate the user.
> > > > > Delaying request 3 for 1 seconds
> > > > > Finished request 3
> > > > > Going to the next request
> > > > > Waking up in 6 seconds...
> > > > > rad_recv: Access-Request packet from host 10.0.1.3:21645,
> > > > id=152, length=191
> > > > > Sending Access-Reject of id 152 to 10.0.1.3:21645
> > > > >
> > > > >
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > >
> > > > -- ___________________________________________________________
> > > > Artur Hecker
> > > > http://www.enst.fr/~hecker
> > > > ENST Paris ________________________________________________
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> >
> >
> >
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
