On 12/01/2011 10:23 PM, Markus Moeller wrote:

Hello Markus,

>   I have a setup using EAP TLS with CRL check and I get sometimes
> correctly an expired certificate presented.  But why does Radiator
> continue with ab Access Challenge instead of a Reject ? 

There's this comment in EAP-TLS code:

  # Certificate verification failed, keep going
  # so we tell the client what the problem was

and then it logs "EAP TLS certificate verification failed: ..." message.

Does it still let you authenticate? I did not quite understand if you
were wondering why it challenges or if it also let you authenticate
successfully.

Thanks!
Heikki


> Wed Nov 30 18:20:11 2011: DEBUG: Handling request with Handler
> AuthType="radius"'
> Wed Nov 30 18:20:11 2011: DEBUG:  Deleting session for xxx, 10.10.10.10, 13
> Wed Nov 30 18:20:11 2011: DEBUG: Handling with Radius::AuthFILE: EapTLS
> Wed Nov 30 18:20:11 2011: DEBUG: Handling with EAP: code 2, 8, 689, 13
> Wed Nov 30 18:20:11 2011: DEBUG: Response type 13
> Wed Nov 30 18:20:11 2011: INFO: EAP TLS certificate verification failed:
> certificate has expired,  23809: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>  
> Wed Nov 30 18:20:11 2011: DEBUG: EAP result: 3, EAP TLS Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
> Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: Access challenged for xxx: EAP TLS
> Challenge
> Wed Nov 30 18:20:11 2011: DEBUG: Packet dump:
> *** Sending to 10.1.1.1 port 32769 ....
> Code:       Access-Challenge
> Identifier: 56
> Authentic:  (<183><181><167><240><188>2<186><243>d<247>d<248><12><151>+
> Attributes:
>         EAP-Message = <1><9><0><17><13><128><0><0><0><7><21><3><1><0><2><2>-
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  
>  
> Thank you
> markus
> 
> 
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to