Re: HELP!!! Error: rlm_eap: SSL error
you can create a new RADIUS cert whenever you want. Just ensure its signed by same CA and has same details such as CN . If you want to change CA then client config changes will be needed (likewise for CN changes) ...that assumes the clients were configured properly/securely. If its just a client cert (EAP-TLS) then just give the client a new one alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP!!! Error: rlm_eap: SSL error
29.11.2011 19:54, freeradius-users-requ...@lists.freeradius.org пишет: options: client has wrong certificate client has wrong date/time set on it certificate has expired alan The time is set correctly. Certificate has expired. Can I renew it without breaking. Or to create a new one? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP!!! Error: rlm_eap: SSL error
Hi, > what's wrong? Help! > > Tue Nov 29 17:14:00 2011 : Auth: Login incorrect: [host/dbu14/ Auth-Type = EAP>] (from client private-network port 123 cli > 00-0E-A6-B4-43-99) > Tue Nov 29 17:16:02 2011 : Error: --> verify error:num=10:certificate > has expired > Tue Nov 29 17:16:02 2011 : Error: TLS Alert write:fatal:certificate expired > Tue Nov 29 17:16:02 2011 : Error: TLS_accept:error in SSLv3 read > client certificate B > Tue Nov 29 17:16:02 2011 : Error: rlm_eap: SSL error error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned options: client has wrong certificate client has wrong date/time set on it certificate has expired alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP!!! Error: rlm_eap: SSL error
Victor Guk wrote: > what's wrong? Help! > ... > Tue Nov 29 17:16:02 2011 : Error: TLS Alert write:fatal:certificate expired What does that line say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HELP!!! Error: rlm_eap: SSL error
what's wrong? Help! Tue Nov 29 17:14:00 2011 : Auth: Login incorrect: [host/dbu14/Auth-Type = EAP>] (from client private-network port 123 cli 00-0E-A6-B4-43-99) Tue Nov 29 17:16:02 2011 : Error: --> verify error:num=10:certificate has expired Tue Nov 29 17:16:02 2011 : Error: TLS Alert write:fatal:certificate expired Tue Nov 29 17:16:02 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Tue Nov 29 17:16:02 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
Thanks, I ended up deleting all the recently created files in /etc/raddb/certs and issuing the bootstrap command. I did have to mkdir /var/run/radiusd after I saw an error about a file radiusd was looking for there, but it works fine afterwards. On Thu, Sep 1, 2011 at 11:53 PM, Alan DeKok wrote: > Chad Rebuck wrote: >> Can someone point me in the right direction on figuring this out? I'm >> running Arch linux and I installed via "pacman -S freeradius". I >> didn't edit any config files yet. > > It's supposed to build the various cert files the first time it's > booted. If that isn't happening properly, go to raddb/certs and poke > around there. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
Chad Rebuck wrote: > Can someone point me in the right direction on figuring this out? I'm > running Arch linux and I installed via "pacman -S freeradius". I > didn't edit any config files yet. It's supposed to build the various cert files the first time it's booted. If that isn't happening properly, go to raddb/certs and poke around there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: SSL error
security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/"; } } rlm_eap: SSL error error::lib(0):func(0):reason(0) rlm_eap_tls: Error loading randomness rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[299]: Failed to load module "eap". /etc/raddb/sites-enabled/default[241]: Errors parsing authenticate section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error error on Start Up, Compile question
Jeff Stout wrote: > I modified the /usr/local/freeradius/debian/rules and removed the > dh_lintian reference > under the tree “Binary Common” IS dh_lintian REQUIRED for freeradius to > compile and > operate correctly Apparently not. > under my “certs” directory I do not have a server.pem certificate (how > do I generate it? ) raddb/certs/README This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: SSL error error on Start Up, Compile question
I am trying to install FreeRadius 2.1.8, on my initial package build I ran into issues with lintian Running Ubuntu with 2.6.24-27-server kernel dpkg-buildpackage -d -b -uc ( I had to use the -d option as I received dependency errors) ... dh_installman dh_lintian /bin/bash: dh_lintian: command not found make[1]: *** [binary-common] Error 127 make[1]: Leaving directory `/usr/local/freeradius' make: *** [binary-arch] Error 2 dpkg-buildpackage: failure: debian/rules binary gave error exit status 2 I modified the /usr/local/freeradius/debian/rules and removed the dh_lintian reference under the tree "Binary Common" IS dh_lintian REQUIRED for freeradius to compile and operate correctly I recompiled my debian package with no errors then installed freeradius I need to use radius with my backend LDAP Database, we are configuring 802.1X for all of our LAN switches. dpkg -i freeradius-common_2.1.8+git_all.deb dpkg -i libfreeradius2_2.1.8+git_i386.deb dpkg -i freeradius_2.1.8+git_i386.deb dpkg -i freeradius-ldap_2.1.8+git_i386.deb dpkg -i freeradius-dialupadmin_2.1.8+git_all.deb then when I start freeradius I get an error for rlm_eap and SSL this is when it is Instantiating the eap-tls Module. rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/server.pem rlm_eap: Failed to initialize type tls /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap" /etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module "eap". /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. under my "certs" directory I do not have a server.pem certificate (how do I generate it? ) ls /etc/freeradius/certs/demoCA/index.txt.dpkg-bak serial.dpkg-bak Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 any assistance with this is greatly appreciated. Thank You Jeff Stout - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Heivilin, Jim wrote: > I'm seeing lots of > > Wed Aug 5 10:40:28 2009 : Error: TLS_accept:error in SSLv3 read > client certificate A > Wed Aug 5 10:40:28 2009 : Error: rlm_eap: SSL error > error::lib(0):func(0):reason(0) That was fixed some time *way* back in the 1.1 versions. > In my radius logs. > > I'm fairly certain I've done this research before but I don't have any > notes to show management. I suspect the answer was that this is an > openssl error and it doesn't stop radius from accepting authentications. > However could someone point me to some details of the problem? OpenSSL returns "error!". Then when you ask it what the error was, it says "no error!" We fixed our code to not complain when OpenSSL returns "error, but really no error". > We're running freeradius v1.1.4 on RHEL4. Upgrade to 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
I'm seeing lots of Wed Aug 5 10:40:28 2009 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Aug 5 10:40:28 2009 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) In my radius logs. I'm fairly certain I've done this research before but I don't have any notes to show management. I suspect the answer was that this is an openssl error and it doesn't stop radius from accepting authentications. However could someone point me to some details of the problem? We're running freeradius v1.1.4 on RHEL4. Thanks, Jim Jim Heivilin, System Administrator, Combined Server Group, Division of IT (formerly IAT Services), University of Missouri at Columbia mailto:ban...@missouri.edu, (573) 884-3898 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Venkat, Sorry for the response lag; I just noticed your post when searching for the same issue before realizing the problem. Was your server.key really created with the password "whatever"? (Check your .../raddb/certs/server.cnf file for the "input_password" and "output_password" settings. The "private_key_password" setting in your eap.conf file needs to match the password on the server.key (and, therefore, the "PRIVATE KEY" portion of server.pem). Otherwise, radiusd can't decrypt the key it needs to build TLS transactions. Cheers, - -sth sam hooker|http://www.noiseplant.com|i am between the internet -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjb8iMACgkQX8KByLv3aQ1zrgCgh8pVFVLywED6HdME310fnbSZ cSkAmwWaRSa+fSOz9leiunhkMiKNXU7m =x4eL -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
I.pem" Thu Jul 17 18:04:42 2008 : Debug: CA_file = "/usr/local/etc/raddb/certs/cacert.pem" Thu Jul 17 18:04:42 2008 : Debug: private_key_password = "whatever" Thu Jul 17 18:04:42 2008 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh" Thu Jul 17 18:04:42 2008 : Debug: random_file = "/dev/urandom" Thu Jul 17 18:04:42 2008 : Debug: fragment_size = 1024 Thu Jul 17 18:04:42 2008 : Debug: include_length = yes Thu Jul 17 18:04:42 2008 : Debug: check_crl = no Thu Jul 17 18:04:42 2008 : Debug: cipher_list = "DEFAULT" Thu Jul 17 18:04:42 2008 : Debug: make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" Thu Jul 17 18:04:42 2008 : Debug:} Thu Jul 17 18:04:42 2008 : Error: rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line Thu Jul 17 18:04:42 2008 : Error: rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/test_SAI.pem Thu Jul 17 18:04:42 2008 : Error: rlm_eap: Failed to initialize type tls Thu Jul 17 18:04:42 2008 : Error: /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap" Thu Jul 17 18:04:42 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". Thu Jul 17 18:04:42 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Thu Jul 17 18:04:42 2008 : Debug: } Thu Jul 17 18:04:42 2008 : Debug: } Thu Jul 17 18:04:42 2008 : Error: Errors initializing modules -- regards, Venkat 9885480745 'take the things and as and when the way they come ...' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
Hi, please mark the difference between those two "errors": >> Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read >> client certificate A (other): SSL negotiation finished successfully rlm_eap: SSL error error::lib(0):func(0):reason(0) The first one, which looks a bit scarier, has already been explained. The second one happens later in time with respect to the ongoing conversation between freeradius and your supplicant, when freeradius has eventually recieved your client certificate. So you just get to see the "error" message meaning that no error occured. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
On 17/01/2007, at 4:47 PM, Alan DeKok wrote: James Lever wrote: Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A That just means there's no client certificate. Interesting given I'm only allowing EAP-TLS access to my wireless LAN (or attempting to) Below is the log output when run in full debugging (excerpt) -- rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0be8], Certificate chain-depth=1, error=0 --> User-Name = clientCN --> BUF-Name = :30 2007 : Info: Ready to process requests. --> subject = /C=AU/issuerDN --> issuer = /C=AU/issuerDN --> verify return:1 radius_xlat: 'clientCN' rlm_eap_tls: checking certificate CN (clientCN) with xlat'ed value (clientCN) chain-depth=0, error=0 --> User-Name = clientCN --> BUF-Name = clientCN --> subject = /C=AU/clientDN --> issuer = /C=AU/issuerDN --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error::lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 -- When I try to do the same with a Certificate from another CA it fails as expected. So why does the EAP-TLS login work even though it complains that no certificate was received? Is the certificate actually validated and hence there really was no error, or is FreeRADIUS or OpenSSL authorising where it should not? cheers, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
James Lever wrote: ... > I'm having the much mentioned but very hard to get real information > about error below: > > Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read > client certificate A That just means there's no client certificate. > Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error > error::lib(0):func(0):reason(0) > Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error > error::lib(0):func(0):reason(0) OpenSSL puts a lot of effort into telling the application that there was an error, and then saying "nope, no error" when asked for more details. > Now, the best explanation I can find on list is that it's safe to ignore > the 3 lines of errors, which, although appears to be very accurate in > that they have no effect on the running service, should not be there if > they are really not errors. > > Can anybody explain what is actually causing these errors (and why) and > what would be required to silence them? Fix OpenSSL. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: SSL error
Hi List, FreeRADIUS 1.1.4 on FreeBSD (5-STABLE), Apple Airport Extreme NAS, MacBook Pro client, WPA2 Enterprise with 2k keys. I'm having the much mentioned but very hard to get real information about error below: Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error: :lib(0):func(0):reason(0) Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error: :lib(0):func(0):reason(0) Wed Jan 17 08:00:11 2007 : Auth: Login OK: [wireless- client.jamver.id.au] (from client apple-basestation port 255 cli xx- xx-xx-xx-xx-xx) Now, the best explanation I can find on list is that it's safe to ignore the 3 lines of errors, which, although appears to be very accurate in that they have no effect on the running service, should not be there if they are really not errors. Can anybody explain what is actually causing these errors (and why) and what would be required to silence them? cheers, James smime.p7s Description: S/MIME cryptographic signature PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: SSL error
Hello, I receive the following errors : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) .. Error: Trying to look up name of unknown client 127.0.0.1. .. (please see hereafter more complete log) I'm confused by the fact that this config was working fine few days. Apparently only an upgrade of linux distribution (Fedora 5-->6) was made since last succesful login. Thanks for any clue / idea. Cheers, Bruno ... Info: rlm_eap_tls: Loading the certificate file as a chain Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Info: Ready to process requests. Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Info: rlm_eap_md5: Issuing Challenge Error: Trying to look up name of unknown client 127.0.0.1. Auth: Login OK: [acer9100/] (from client UNKNOWN-CLIENT port 0) Auth: Login OK: [acer9100/] (from client Olitec402SG port 1 cli 00-12-F0-21-1A-B6) ... -- Register Linux User 353844 http://counter.li.org/ -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html