Hello Francisco , On Sat, 28 Jun 2003 01:55 am, Francisco Contreiras wrote: > I generated the certificates with mkcertificates.sh and everything went OK. > But now when I make a PEAP request I get this error, TLS could not > use_PrivateKey_file. > > Another question is: The challenge password that is asked in the > MKCERTIFICATE should be the same as the one configured in eap_peap.cfg in > EAPTLS_PrivateKeyPassword ?
Yes. Cheers. > > ############ Log File ################################## > [EMAIL PROTECTED] Radiator-Demo-3.6]# perl radiusd -foreground -log_stdout -trace > 4 -config_file /etc/radius/radius.cfg Fri Jun 27 17:30:08 2003: DEBUG: > Reading users file /etc/radius/users Fri Jun 27 17:30:08 2003: DEBUG: > Reading users file /etc/radius/users Fri Jun 27 17:30:08 2003: DEBUG: > Reading users file /etc/radius/users Fri Jun 27 17:30:08 2003: DEBUG: > Finished reading configuration file '/etc/radius/radius.cfg' This Radiator > license will expire on 2003-10-01 > This Radiator license will stop operating after 1000 requests > To purchase an unlimited full source version of Radiator, see > http://www.open.com.au/ordering.html > To extend your evaluation period, contact [EMAIL PROTECTED] > Fri Jun 27 17:30:08 2003: DEBUG: Reading dictionary file > '/etc/radius/dictionary' Fri Jun 27 17:30:09 2003: DEBUG: Reading > dictionary file '/etc/radius/dictionary.ascend' Fri Jun 27 17:30:10 2003: > DEBUG: Creating authentication port 0.0.0.0:1812 Fri Jun 27 17:30:10 2003: > DEBUG: Creating accounting port 0.0.0.0:1813 Fri Jun 27 17:30:10 2003: > NOTICE: Server started: Radiator 3.6 on cuco.lx.it.pt (EVALUATION) Fri Jun > 27 17:31:29 2003: DEBUG: Packet dump: > *** Received from 192.168.0.253 port 1645 .... > Code: Access-Request > Identifier: 56 > Authentic: k<154><6>xR"<254><216><224><255>t'<198><210>QN > Attributes: > User-Name = "[EMAIL PROTECTED]" > Framed-MTU = 1400 > Called-Station-Id = "0002.8a21.9173" > Calling-Station-Id = "000b.fd60.56c9" > Message-Authenticator = > <200><162>S<29><151><<210><237><194><181><29>,<161>?<231># EAP-Message = > <2><2><0><13><1>[EMAIL PROTECTED] > NAS-Port-Type = Virtual > NAS-Port = 448 > NAS-IP-Address = 192.168.0.253 > NAS-Identifier = "ap" > Fri Jun 27 17:31:29 2003: DEBUG: Handling request with Handler 'Realm = pt' > Fri Jun 27 17:31:29 2003: DEBUG: Deleting session for [EMAIL PROTECTED], > 192.168.0.253, 448 Fri Jun 27 17:31:29 2003: DEBUG: Handling with > Radius::AuthFILE: > Fri Jun 27 17:31:29 2003: DEBUG: Handling with EAP: code 2, 2, 13 > Fri Jun 27 17:31:29 2003: DEBUG: Response type 1 > Fri Jun 27 17:31:30 2003: ERR: TLS could not use_PrivateKey_file > /etc/radius/demoCA/cert-srv.pem, 1: 840: 1 - error:0906D06C:PEM > routines:PEM_read_bio:no start line 840: 2 - error:06065064:digital > envelope routines:EVP_DecryptFinal:bad decrypt 840: 3 - error:0906A065:PEM > routines:PEM_do_header:bad decrypt > 840: 4 - error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib > Fri Jun 27 17:31:30 2003: INFO: Access rejected for [EMAIL PROTECTED]: EAP TLS Could > not initialise context Fri Jun 27 17:31:30 2003: DEBUG: Packet dump: > *** Sending to 192.168.0.253 port 1645 .... > Code: Access-Reject > Identifier: 56 > Authentic: k<154><6>xR"<254><216><224><255>t'<198><210>QN > Attributes: > Reply-Message = "Request Denied" > Fri Jun 27 17:31:36 2003: DEBUG: Packet dump: > *** Received from 192.168.0.253 port 1645 .... > Code: Access-Request > Identifier: 57 > Authentic: > <179><168><222><253><247><232><217><252><171><177><184><202><29>(<217><12> > Attributes: > User-Name = "[EMAIL PROTECTED]" > Framed-MTU = 1400 > Called-Station-Id = "0002.8a21.9173" > Calling-Station-Id = "000b.fd60.56c9" > Message-Authenticator = > <172><242>@<213><18><149><135><237><174><172><213>4<206><145><234><171> > EAP-Message = <2><1><0><13><1>[EMAIL PROTECTED] > NAS-Port-Type = Virtual > NAS-Port = 449 > NAS-IP-Address = 192.168.0.253 > NAS-Identifier = "ap" > Fri Jun 27 17:31:36 2003: DEBUG: Handling request with Handler 'Realm = pt' > Fri Jun 27 17:31:36 2003: DEBUG: Deleting session for [EMAIL PROTECTED], > 192.168.0.253, 449 Fri Jun 27 17:31:36 2003: DEBUG: Handling with > Radius::AuthFILE: > Fri Jun 27 17:31:36 2003: DEBUG: Handling with EAP: code 2, 1, 13 > Fri Jun 27 17:31:36 2003: DEBUG: Response type 1 > Fri Jun 27 17:31:36 2003: DEBUG: Access challenged for [EMAIL PROTECTED]: EAP PEAP > Challenge Fri Jun 27 17:31:36 2003: DEBUG: Packet dump: > *** Sending to 192.168.0.253 port 1645 .... > Code: Access-Challenge > Identifier: 57 > Authentic: > <179><168><222><253><247><232><217><252><171><177><184><202><29>(<217><12> > Attributes: > EAP-Message = <1><2><0><6><25>! > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Fri Jun 27 17:31:36 2003: > DEBUG: Packet dump: > *** Received from 192.168.0.253 port 1645 .... > Code: Access-Request > Identifier: 58 > Authentic: FH<241> <223>Q<185><197><5><29><232><206><226>I$<150> > Attributes: > User-Name = "[EMAIL PROTECTED]" > Framed-MTU = 1400 > Called-Station-Id = "0002.8a21.9173" > Calling-Station-Id = "000b.fd60.56c9" > Message-Authenticator = > N^<239><17>m<6>u<243><29>><188><154>S<163>P<148> EAP-Message = > <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>><252>cg<166><11 >><201><241><198>gv["<155><136>|<248><155><7><185><27><211>dr<206>@s<225>\(<2 >24>Q<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0> >c<1><0> NAS-Port-Type = Virtual > NAS-Port = 449 > NAS-IP-Address = 192.168.0.253 > NAS-Identifier = "ap" > Fri Jun 27 17:31:36 2003: DEBUG: Handling request with Handler 'Realm = pt' > Fri Jun 27 17:31:36 2003: DEBUG: Deleting session for [EMAIL PROTECTED], > 192.168.0.253, 449 Fri Jun 27 17:31:36 2003: DEBUG: Handling with > Radius::AuthFILE: > Fri Jun 27 17:31:36 2003: DEBUG: Handling with EAP: code 2, 2, 80 > Fri Jun 27 17:31:36 2003: DEBUG: Response type 25 > Fri Jun 27 17:31:36 2003: DEBUG: EAP TLS SSL_accept result: -1, 1, 8466 > Fri Jun 27 17:31:36 2003: ERR: EAP TLS error: -1, 1, 8466, 840: 1 - > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Fri Jun > 27 17:31:36 2003: INFO: Access rejected for [EMAIL PROTECTED]: EAP PEAP TLS error > Fri Jun 27 17:31:36 2003: DEBUG: Packet dump: > *** Sending to 192.168.0.253 port 1645 .... > Code: Access-Reject > Identifier: 58 > Authentic: FH<241> <223>Q<185><197><5><29><232><206><226>I$<150> > Attributes: > EAP-Message = <4><2><0><4> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request > Denied" > ########################## > > ########### CFG FILE ######################## > AuthPort 1812 > AcctPort 1813 > LogDir /var/log/radius > DbDir /etc/radius > DictionaryFile %D/dictionary,%D/dictionary.ascend > PidFile /var/run/radiusd.pid > Trace 4 > > <Client 192.168.254> > Secret xpto > </Client> > #Pedidos "internos", vindos de um tu'nel PEAP > <Handler TunnelledByPEAP=1> > <AuthBy FILE> > Filename /etc/radius/users > EAPType MSCHAP-V2 > </AuthBy> > </Handler> > #Pedidos internos enviados por tu'nel TTLS > <Handler TunnelledByTTLS=1> > <AuthBy FILE> > Filename /etc/radius/users > EAPType PAP > # TLS requere a config abaixo > EAPTLS_CAFile /etc/radius/demoCA/cacert.pem > EAPTLS_CertificateFile /etc/radius/demoCA/cert-srv.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile /etc/radius/demoCA/cert-srv.pem > EAPTLS_PrivateKeyPassword xpto > </AuthBy> > </Handler> > <Handler Realm = pt> > <AuthBy FILE> > Filename /etc/radius/users > #Para ja' > permite PEAP, TTLS # adicionar outras variantes de EAP aqui EAPType > PEAP, TTLS > #Caso se > use TLS: #certificados sao gerados atrave's do script radiator > #mkcertificate.sh, em goodies/ EAPTLS_CAFile /etc/radius/demoCA/cacert.pem > EAPTLS_CertificateFile /etc/radius/demoCA/cert-srv.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile /etc/radius/demoCA/cert-srv.pem > EAPTLS_PrivateKeyPassword xpto > EAPTLS_MaxFragmentSize 1024 > AutoMPPEKeys > SSLeayTrace 4 > </AuthBy> > </Handler> > ###################### > > Please help, > > Thank you in advance. > > Francisco Contreiras > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
