Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
Hi Heikki, The same problems with the certificates :( Thanks for your this suggestion, Imanol On Thu, Jun 19, 2014 at 9:17 PM, Heikki Vatiainen h...@open.com.au wrote: On 06/19/2014 12:46 AM, Imanol Fuidio wrote: I have repeated the test on an iphone with IOS7 configuring a TLS profile with the CA in der format. The same problem. The log is also in https://gist.github.com/ifdm001/57c03984282f33406aec Maybe you could try with the certificates that come with Radiator? See the certificates/ directory in the distribution. Those certificates have been used with EAP-TLS, so they could help building an initial working configuration before switching to different certificates. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Imanol Fuidio Díaz-Maroto Fon Labs RD engineerimanol.fui...@fon.com skype: imanol.fon ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
On 06/19/2014 12:46 AM, Imanol Fuidio wrote: I have repeated the test on an iphone with IOS7 configuring a TLS profile with the CA in der format. The same problem. The log is also in https://gist.github.com/ifdm001/57c03984282f33406aec Maybe you could try with the certificates that come with Radiator? See the certificates/ directory in the distribution. Those certificates have been used with EAP-TLS, so they could help building an initial working configuration before switching to different certificates. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
Hi everyone, In the company we have performed some tests on EAP TLS. We are using Radiator-4.13 with the goodie eap_tls.cfg. We have created self-signed certificates through the script: script.sh (You can find the script, as well as the certificates in https://gist.github.com/ifdm001/57c03984282f33406aec ) During the tests, we have installed the cert-clt.p12 cert file on a Galaxy S3 with Android 4.1.2 We have also installed the CA file cacert.pem. The WiFi configuration is: EAP method TLS, Phase 2 PAP, User certificate, Identiy user We also have added the identity user to the file database. When we have not configured the CA file in the WiFi configuration profile, everything works. It is strange there is no message from Android saying that the server certificate will be not verified, also there is no checklist option to validate this ( as there is in microsoft, see. https://support.microsoft.com/kb/814394). When we configure the CA file in the WiFi configuration profile on the Android phone, we found the following error in Radiator: Wed Jun 18 11:49:35 2014: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Wed Jun 18 11:49:35 2014: DEBUG: Deleting session for user, 10.1.0.9, Wed Jun 18 11:49:35 2014: DEBUG: Handling with Radius::AuthFILE: Wed Jun 18 11:49:35 2014: DEBUG: Handling with EAP: code 2, 255, 200, 13 Wed Jun 18 11:49:35 2014: DEBUG: Response type 13 Wed Jun 18 11:49:35 2014: DEBUG: Certificate Subject Name is /C=ES/ST=Biscay/L=Getxo/O=Fon/OU=Fon Labs/CN=user Wed Jun 18 11:49:35 2014: DEBUG: Matched certificate CN user with User-Name user or identity user Wed Jun 18 11:49:35 2014: DEBUG: Reading users file ./users Wed Jun 18 11:49:35 2014: DEBUG: Radius::AuthFILE looks for match with user [user] Wed Jun 18 11:49:35 2014: DEBUG: Radius::AuthFILE ACCEPT: : user [user] Wed Jun 18 11:49:35 2014: ERR: EAP TLS error: -1, 1, 8592, 0, 22411: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Wed Jun 18 11:49:35 2014: DEBUG: EAP Failure, elapsed time 0.179251 Wed Jun 18 11:49:35 2014: DEBUG: EAP result: 1, EAP TLS error Wed Jun 18 11:49:35 2014: DEBUG: AuthBy FILE result: REJECT, EAP TLS error Wed Jun 18 11:49:35 2014: INFO: Access rejected for user: EAP TLS error Wed Jun 18 11:49:35 2014: DEBUG: Packet dump: *** Sending to 10.1.0.9 port 54719 Code: Access-Reject Identifier: 189 Authentic: 194153-2042001218917616819624180148210i Attributes: EAP-Message = 425504 Message-Authenticator = Reply-Message = Request Denied The full log is in the file eap_tls.log file, also in https://gist.github.com/ifdm001/57c03984282f33406aec Any help with this problem, we will be grateful. Thanks, Imanol -- Imanol Fuidio Díaz-Maroto Fon Labs RD engineerimanol.fui...@fon.com skype: imanol.fon ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
On 06/18/2014 02:04 PM, Imanol Fuidio wrote: The WiFi configuration is: EAP method TLS, Phase 2 PAP, User certificate, Identiy user Phase 2 PAP looks odd. This would make sense with EAP-TTLS, but I am not sure what it could mean with EAP-TLS. Wed Jun 18 11:49:35 2014: ERR: EAP TLS error: -1, 1, 8592, 0, 22411: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Can you try with other settings for Phase 2, such as none, off or something else to turn off any Phase 2 authentication off. I'd say the above message might come from something that the client adds and appears as bad TLS record to the server. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
Hi Heikki, The same test repeated with Second Phase as none and the same problem. As you have said, this should have nothing to do with EAP TLS. I have repeated the test on an iphone with IOS7 configuring a TLS profile with the CA in der format. The same problem. The log is also in https://gist.github.com/ifdm001/57c03984282f33406aec Thanks for the contribution, Imanol On Wed, Jun 18, 2014 at 10:05 PM, Heikki Vatiainen h...@open.com.au wrote: On 06/18/2014 02:04 PM, Imanol Fuidio wrote: The WiFi configuration is: EAP method TLS, Phase 2 PAP, User certificate, Identiy user Phase 2 PAP looks odd. This would make sense with EAP-TTLS, but I am not sure what it could mean with EAP-TLS. Wed Jun 18 11:49:35 2014: ERR: EAP TLS error: -1, 1, 8592, 0, 22411: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Can you try with other settings for Phase 2, such as none, off or something else to turn off any Phase 2 authentication off. I'd say the above message might come from something that the client adds and appears as bad TLS record to the server. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Imanol Fuidio Díaz-Maroto Fon Labs RD engineerimanol.fui...@fon.com skype: imanol.fon ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
