Are you using windows?
This is a common problem with Windows, basically the client supplicant is set
to validate the cert from the radius server; however it does not contain the
root cert that it needs to verify it, which breaks the process.
Either disable certificate validation under the connection properties (not as
secure but is pretty much what everyone does) or install the cert the
supplicant needs (secure but a pain to manage manually).
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
From: Morris, Andi [mailto:[email protected]]
Sent: Monday, June 25, 2012 7:36 AM
To: [email protected]
Subject: [PacketFence-users] freeradius TLS
Hi all,
I'm running into an issue where certain supplicants are failing radius and
others not. I can't explain it, but when I configure the supplicant on my
laptop using xpress Connect the device is setup correctly, auto-registers and I
get transferred from the captive portal onto the live network. However using
different supplicants setup using the same method I see the following in the
radius logs.
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:unknown CA): [cc0017] (from client
10.1.1.13 port 13 cli 00-1c-bf-22-ae-65)
} # server packetfence
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group REJECT {...}
Now I guess this is relating to the certificates I have told freeradius to use,
which I can see being called when the server starts, as below:
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/pf/conf/ssl/hallsradius.key"
certificate_file = "/usr/local/pf/conf/ssl/hallsradius.crt"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/";
}
}
However I'm unsure why this isn't working correctly. I presume that somehow my
laptop has accepted the certificates previously and is now allowing them, but
other new connections do not have this.
Can anyone please shed some light?
Cheers,
Andi
---------------------------------------------------------------
Andi Morris
Technical Security Analyst
Systems and Communications Services
Information Services Division
Cardiff Metropolitan University
Cardiff
Wales
CF5 2YB
02920 205720
--------------------------------------------------------------
________________________________
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan
>University. From the 6th December 2011, as part of this change, all email
>addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All
>emails sent from Cardiff Metropolitan University will now be sent from the new
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact
>records and databases are updated to reflect this change. Further information
>can be found on the website
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan
Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n
cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a
ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o'r cyfeiriad
@cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion
cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar
y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
