Hi all,
I'm running into an issue where certain supplicants are failing radius and
others not. I can't explain it, but when I configure the supplicant on my
laptop using xpress Connect the device is setup correctly, auto-registers and I
get transferred from the captive portal onto the live network. However using
different supplicants setup using the same method I see the following in the
radius logs.
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:unknown CA): [cc0017] (from client
10.1.1.13 port 13 cli 00-1c-bf-22-ae-65)
} # server packetfence
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group REJECT {...}
Now I guess this is relating to the certificates I have told freeradius to use,
which I can see being called when the server starts, as below:
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/pf/conf/ssl/hallsradius.key"
certificate_file = "/usr/local/pf/conf/ssl/hallsradius.crt"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/";
}
}
However I'm unsure why this isn't working correctly. I presume that somehow my
laptop has accepted the certificates previously and is now allowing them, but
other new connections do not have this.
Can anyone please shed some light?
Cheers,
Andi
---------------------------------------------------------------
Andi Morris
Technical Security Analyst
Systems and Communications Services
Information Services Division
Cardiff Metropolitan University
Cardiff
Wales
CF5 2YB
02920 205720
--------------------------------------------------------------
________________________________
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan
>University. From the 6th December 2011, as part of this change, all email
>addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All
>emails sent from Cardiff Metropolitan University will now be sent from the new
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact
>records and databases are updated to reflect this change. Further information
>can be found on the website
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan
Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n
cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a
ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o'r cyfeiriad
@cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion
cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar
y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
