On 12/01/2011 10:23 PM, Markus Moeller wrote: Hello Markus,
> I have a setup using EAP TLS with CRL check and I get sometimes > correctly an expired certificate presented. But why does Radiator > continue with ab Access Challenge instead of a Reject ? There's this comment in EAP-TLS code: # Certificate verification failed, keep going # so we tell the client what the problem was and then it logs "EAP TLS certificate verification failed: ..." message. Does it still let you authenticate? I did not quite understand if you were wondering why it challenges or if it also let you authenticate successfully. Thanks! Heikki > Wed Nov 30 18:20:11 2011: DEBUG: Handling request with Handler > AuthType="radius"' > Wed Nov 30 18:20:11 2011: DEBUG: Deleting session for xxx, 10.10.10.10, 13 > Wed Nov 30 18:20:11 2011: DEBUG: Handling with Radius::AuthFILE: EapTLS > Wed Nov 30 18:20:11 2011: DEBUG: Handling with EAP: code 2, 8, 689, 13 > Wed Nov 30 18:20:11 2011: DEBUG: Response type 13 > Wed Nov 30 18:20:11 2011: INFO: EAP TLS certificate verification failed: > certificate has expired, 23809: 1 - error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > > Wed Nov 30 18:20:11 2011: DEBUG: EAP result: 3, EAP TLS Challenge > Wed Nov 30 18:20:11 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS > Challenge > Wed Nov 30 18:20:11 2011: DEBUG: Access challenged for xxx: EAP TLS > Challenge > Wed Nov 30 18:20:11 2011: DEBUG: Packet dump: > *** Sending to 10.1.1.1 port 32769 .... > Code: Access-Challenge > Identifier: 56 > Authentic: (<183><181><167><240><188>2<186><243>d<247>d<248><12><151>+ > Attributes: > EAP-Message = <1><9><0><17><13><128><0><0><0><7><21><3><1><0><2><2>- > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > > Thank you > markus > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
