Hi, Noel
Or this "access denied" can come from pkcs format?pkcs#7 is used in this case,
pkcs#12 should be used?
Regards,
On Sunday, 28 February 2016, 15:20, yukou katori <[email protected]>
wrote:
Hi, Noel
Thanks.I complied again to isolate this problem.The reason why no item about
certificates was shown by "ipsec listall" came from that I imported incorrect
certificate from FreeRadius.Now I could get the item about CA by "ipsec
install".
But I get the same error yet.
What does "access denied" mean?This is for TLS 1.2 but, it means:
access_denied A valid certificate was received, but when access control
was applied, the sender decided not to proceed with negotiation. This
message is always fatal. from rfc5246
Access control?
I complied like this:./configure --prefix=/usr/local
--sysconfdir=/usr/local/etc --enable-eap-identity --enable-eap-tls
--enable-eap-peap --enable-eap-ttls --enable-eap-mschapv2 --enable-eap-md5
Regards,
////// debug of StrongSwan.///Sun Feb 28 10:28:54 2016 : Info: [ttls] <<< TLS
1.0 Alert [length 0002], fatal access_deniedSun Feb 28 10:28:54 2016 : Error:
TLS Alert read:fatal:access deniedSun Feb 28 10:28:54 2016 : Error:
TLS_accept: failed in SSLv3 read client certificate ASun Feb 28 10:28:54 2016 :
Error: rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1
alert access deniedSun Feb 28 10:28:54 2016 : Error: SSL: SSL_read failed
inside of TLS (-1), TLS session fails.Sun Feb 28 10:28:54 2016 : Debug: TLS
receive handshake failed during operation
////// config of ipsec.conf///root@eNB-3:/usr/local/etc# cat ipsec.conf#
/etc/ipsec.conf - strongSwan IPsec configuration file
config setup charondebug="tls 4, ike 4, lib 4"
conn %default ikelifetime=60m keylife=20m rekeymargin=3m
keyingtries=1 keyexchange=ikev2
conn eap-ttls-rad1 left=192.168.31.10 leftsourceip=%config
leftid=test1@test leftauth=eap #leftauth2=md5
right=192.168.120.254
#rightcert=/usr/local/etc/ipsec.d/certs/Radius-1_Svr_cert
rightid=Radius-1@test rightsubnet=2.0.0.1/32 rightauth=pubkey
#rightauth2=md5 aaa_identity="C=JP, O=XXX, CN=Radius-1_svr@test"
auto=add
////// output of "ipsec listall"///root@eNB-3:/usr/local/etc# ipsec listall
List of X.509 CA Certificates:
subject: "C=JP, ST=Some-State, O=XXX, OU=TSO, [email protected],
[email protected]" issuer: "C=JP, ST=Some-State, O=XXX, OU=TSO,
[email protected], [email protected]" serial:
91:72:72:2d:af:3f:7c:73 validity: not before Feb 28 01:02:24 2016, ok
not after Feb 27 01:02:24 2017, ok pubkey: RSA 2048 bits keyid:
e5:a7:66:c8:00:8f:8a:3a:72:7a:b3:af:ef:6c:e5:a4:3f:bb:51:16 subjkey:
52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53 authkey:
52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53
List of registered IKE algorithms:(snip)
Just for info, user configuration of FreeRadius is fine.////// about Server's
certificate/// CN=Radius-1_svr@tes was issued by
CN=Radius-1_SA///root@Radius-1:/usr/lib/ssl/misc# openssl x509 -text -noout
-in Radius-1_Svr_certCertificate: Data: Version: 3 (0x2)
Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Some-State, O=XXX, OU=TSO,
CN=Radius-1_CA@test/emailAddress=yukou.katori@test Validity
Not Before: Feb 27 16:18:46 2016 GMT Not After : Feb 26 16:18:46
2017 GMT Subject: C=JP, ST=Some-State, O=XXX, OU=TSO,
CN=Radius-1_svr@test/emailAddress=yukou.katori@test Subject Public Key
Info: Public Key Algorithm: rsaEncryption Public-Key:
(2048 bit) Modulus:
////// users/// user configuration seems fine...///test1@test
Cleartext-Password := "test1@test"
/etc/freeradius/wpa_supplicant-2.5/wpa_supplicant# ./eapol_test -c
eap-ttls.conf -s testing123 -a 127.0.0.1Reading configuration file
'eap-ttls.conf'eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00
00 00 00 00 00identity - hexdump_ascii(len=15): 74 65 73 74 31 40 6e 6f 6b
69 61 2e 63 6f 6d test1@testpassword - hexdump_ascii(len=15): 74 65 73
74 31 40 6e 6f 6b 69 61 2e 63 6f 6d test1@testphase2 -
hexdump_ascii(len=8): 61 75 74 68 3d 4d 44 35
auth=MD5Priority group 0 id=0 ssid=''(snip)
MPPE keys OK: 1 mismatch: 0SUCCESS
On Friday, 26 February 2016, 0:38, Noel Kuntze <[email protected]>
wrote:
Hello Yukou,
> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius
> Server(Freeradius2.1.12)
>> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to
>> 'C=AAA, O=OOO, CN=TEST'
What does your config look like? Obviously, the RADIUS server only
authenticates itself, not the authenticator.
>I installed certification of the server:
>ipsec.d/certs/
Where is that exactly? Are you aware that the location of ipsec.d changes,
depending on the compile time
sysconfdir and prefix settings?
> When I checked by "ipsec listall", no item about "List of X.509 End Entity
> Certificates" is listed up.
Make sure you understand where charon things ipsec.d is actually.
On 25.02.2016 08:51, yukou katori wrote:
> Hi,
>
> I'm setting up EAP-TTLS-Radius client on StrongSwan5.3.5.
>
> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius
> Server(Freeradius2.1.12)
>
> I got the following error when the Client tries to connect.
> > Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to
> > 'C=AAA, O=OOO, CN=TEST'
>
> I installed certification of the server:
> ipsec.d/certs/
>
> /usr/local/etc/ipsec.d# ls certs/
> server.pem
>
> When I checked by "ipsec listall", no item about "List of X.509 End Entity
> Certificates" is listed up.
>
> Is it wrong about the way to store certificate?
> Or another reason? (e.g. plugin is not enough)
>
> Regards,
>
> Log:
> Feb 25 14:41:13 tester charon: 05[TLS] negotiated TLS 1.0 using suite
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> Feb 25 14:41:13 tester charon: 05[TLS] processing TLS Handshake record (708
> bytes)
> Feb 25 14:41:13 tester charon: 05[TLS] received TLS Certificate handshake
> (704 bytes)
> Feb 25 14:41:13 tester charon: 05[LIB] signature verification:
> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to
> 'C=ES, O=ACCV, CN=ACCVRAIZ1'
> Feb 25 14:41:13 tester charon: 05[TLS] buffering 254 bytes, 254 bytes of 530
> byte TLS record received
> Feb 25 14:41:13 tester charon: 05[TLS] sending fatal TLS alert 'access denied'
--
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
