On 01/29/2014 01:53 AM, Jeff Lee wrote: > I'm having issues with authenticating PEAP requests, and I'm not sure > what is the issue. > Could someone shed some light… ?
Problem with verify_locations might be caused by missing CA certificate. Have you checked if EAPTLS_CAFile %D/certificates/AddTrustExternalCARoot.pem really exists? Also, is the error message below complete? When I try with a missing certificate, there are additional lines like below: Wed Jan 29 14:54:42 2014: ERR: TLS could not load_verify_locations ./certificates/demoCA/cacert.pem, : 4707: 1 - error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library 4707: 2 - error:25070067:DSO support routines:DSO_load:could not load the shared library 4707: 3 - error:260B6084:engine routines:DYNAMIC_LOAD:dso not found 4707: 4 - error:2606A074:engine routines:ENGINE_by_id:no such engine 4707: 5 - error:02001002:system library:fopen:No such file or directory 4707: 6 - error:2006D080:BIO routines:BIO_new_file:no such file 4707: 7 - error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib Also note that the name of missing file is shown after load_verify_locations but that might be caused by different OpenSSL and Net-SSLEeay versions. I would first check if the CA cert exists and is readable. Thanks, Heikki > Mon Jan 27 22:30:05 2014: ERR: TLS could not load_verify_locations , : > 10884: 1 - error:25066067:DSO support routines:DLFCN_LOAD:could not load > the shared library > 10884: 2 - error:25070067:DSO support routines:DSO_load:could not load > the shared library > 10884: 3 - error:260B6084:engine routines:DYNAMIC_LOAD:dso not found > 10884: 4 - error:2606A074:engine routines:ENGINE_by_id:no such engine > > > * * * * * * > below is the handler config, which I've placed to the last of the > handler list, which means this is the almost the last bit of the config > file (radius.cfg). > > > # > ------------------------------------------------------------------------------------------ > # This is where the PEAP inner request appears > # The username of the inner request will be anonymous, although > # the identity of the EAP request will be the real username we are > # trying to authenticate. > # With the EAP_PEAP_MSCHAP_Convert flag set, the EAP-MSCHAPV2 request is > converted > # into conventional Radius-MSCHAPV2 and redespatched to the <Handler > ConvertedFromEAPMSCHAPV2=1> > # above. > <Handler TunnelledByPEAP=1> > <AuthBy FILE> > # Dont really need this > # Filename %D/users > > # This tells the PEAP client what types of inner EAP requests > # we will honour > EAPType MSCHAP-V2 > > # This flag tells EAPType MSCHAP-V2 to convert the inner > EAP-MSCHAPV2 request into > # an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler > # that matches ConvertedFromEAPMSCHAPV2=1 (see above) > EAP_PEAP_MSCHAP_Convert 1 > </AuthBy> > </Handler> > > > # > ------------------------------------------------------------------------------------------ > # Processes all 'outer' EAP requests - skips non-EAP requests leaving to > next <Handler> > <Handler EAP-Message=/.+/> > <AuthBy FILE> > Filename %D/users > EAPType TTLS > #EAPType TTLS, PEAP > EAPTLS_CAFile %D/certificates/AddTrustExternalCARoot.pem > EAPTLS_CertificateFile %D/certificates/my-cert.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/my-cert.key.pem > EAPTLS_PrivateKeyPassword whatever > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > EAPTLS_PEAPVersion 0 > </AuthBy> > </Handler> > > > > > > > regards, > Jeff > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator > -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
