I'm not well oriented int he whole freeraidus configuration and authorization, but it looks like your client is not accepting untrusted/unknown certificates that cannot be verified. This is sometimes forced on certains supplicants to disallow connecting to untrusted networks.
See options in the suppilcant about trusting unknown CA, so that you can loosen up security. On Mon, Jun 25, 2012 at 2:35 PM, Morris, Andi <[email protected]> wrote: > Hi all, > > I’m running into an issue where certain supplicants are failing radius and > others not. I can’t explain it, but when I configure the supplicant on my > laptop using xpress Connect the device is setup correctly, auto-registers > and I get transferred from the captive portal onto the live network. > However using different supplicants setup using the same method I see the > following in the radius logs. > > > > [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca > > TLS Alert read:fatal:unknown CA > > TLS_accept: failed in SSLv3 read client certificate A > > rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert > unknown ca > > SSL: SSL_read failed inside of TLS (-1), TLS session fails. > > TLS receive handshake failed during operation > > [peap] eaptls_process returned 4 > > [peap] EAPTLS_OTHERS > > [eap] Handler failed in EAP/peap > > [eap] Failed in EAP select > > ++[eap] returns invalid > > Failed to authenticate the user. > > Login incorrect (TLS Alert read:fatal:unknown CA): [cc0017] (from client > 10.1.1.13 port 13 cli 00-1c-bf-22-ae-65) > > } # server packetfence > > Using Post-Auth-Type Reject > > # Executing group from file /etc/raddb/sites-enabled/packetfence > > +- entering group REJECT {...} > > > > Now I guess this is relating to the certificates I have told freeradius to > use, which I can see being called when the server starts, as below: > > Module: Instantiating eap-tls > > tls { > > rsa_key_exchange = no > > dh_key_exchange = yes > > rsa_key_length = 512 > > dh_key_length = 512 > > verify_depth = 0 > > pem_file_type = yes > > private_key_file = "/usr/local/pf/conf/ssl/hallsradius.key" > > certificate_file = "/usr/local/pf/conf/ssl/hallsradius.crt" > > dh_file = "/etc/raddb/certs/dh" > > random_file = "/dev/urandom" > > fragment_size = 1024 > > include_length = yes > > check_crl = no > > cipher_list = "DEFAULT" > > make_cert_command = "/etc/raddb/certs/bootstrap" > > cache { > > enable = no > > lifetime = 24 > > max_entries = 255 > > } > > verify { > > } > > ocsp { > > enable = no > > override_cert_url = yes > > url = "http://127.0.0.1/ocsp/"; > > } > > } > > > > However I’m unsure why this isn’t working correctly. I presume that somehow > my laptop has accepted the certificates previously and is now allowing them, > but other new connections do not have this. > > > > Can anyone please shed some light? > > > > Cheers, > > Andi > > > > --------------------------------------------------------------- > Andi Morris > Technical Security Analyst > > Systems and Communications Services > Information Services Division > Cardiff Metropolitan University > Cardiff > Wales > CF5 2YB > > > > 02920 205720 > > -------------------------------------------------------------- > > > > ________________________________ > > >From 1st November 2011 UWIC changed its title to Cardiff Metropolitan > University. From the 6th December 2011, as part of this change, all email > addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All > emails sent from Cardiff Metropolitan University will now be sent from the > new @cardiffmet.ac.uk address. Please could you ensure that all of your > contact records and databases are updated to reflect this change. Further > information can be found on the website here. > > Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan > Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost > sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a > ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad > @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich > cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o > wybodaeth ar y wefan yma. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Michal Sochoń alias _KaszpiR_ [email protected] IRC: #hlds.pl @ irc.quakenet.org ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
