On 04/18/2011 11:46 PM, Johnson, Neil M wrote: > What does this error message mean ?
The client is rejecting Radiator's certificate. If you search the mailing lists, there are a couple of suggestions why this happens. If this is a Windows client, see this for a likely reason: http://technet.microsoft.com/en-us/library/cc731363.aspx When certs are created with OpenSSL, the extension mentioned above is specified like this: extendedKeyUsage = serverAuth When printing the cert as text with OpenSSL, the extension looks like this: X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication > Mon Apr 18 11:49:20 2011: DEBUG: Packet dump: > *** Received from 160.36.188.8 port 60075 .... > Code: Access-Request > Identifier: 8 > Authentic: <223><19>2<243>Dw<11>D<23><167><17><194><170>}%<242> > Attributes: > User-Name = "troes...@uiowa.edu" > Calling-Station-Id = "00-13-e8-83-83-61" > Called-Station-Id = "00-24-97-f2-a7-70:eduroam" > NAS-Port = 1 > NAS-IP-Address = 206.196.182.10 > NAS-Identifier = "wlan0-smm" > Airespace-WLAN-Id = 2 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-IEEE-802-11 > EAP-Message = <2><9><0>/<25><128><0><0><0>%<21><3><1><0> > <30><175>N<205><10><166><154>Z<252><26><208><15>E7<177><145><241><176><141><172><8> > <174>n<22><20><11>`\Q5<14> > Message-Authenticator = > X<201><233><3><209>M<237><208>I<248><213><14>Cv<198><182> > > Mon Apr 18 11:49:20 2011: DEBUG: Handling request with Handler > 'Client-Identifier=eduroam, Realm=/uiowa\.edu$/i ', Identifier '' > Mon Apr 18 11:49:20 2011: DEBUG: PreProcessing Hook: called. > Mon Apr 18 11:49:20 2011: DEBUG: Deleting session for troes...@uiowa.edu, > 206.196.182.10, 1 > Mon Apr 18 11:49:20 2011: DEBUG: Handling with Radius::AuthFILE: > Mon Apr 18 11:49:20 2011: DEBUG: Handling with EAP: code 2, 9, 47, 25 > Mon Apr 18 11:49:20 2011: DEBUG: Response type 25 > Mon Apr 18 11:49:20 2011: ERR: EAP PEAP TLS read failed: 2244: 1 - > error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied > > Mon Apr 18 11:49:20 2011: DEBUG: EAP result: 1, EAP PEAP TLS read failed > Mon Apr 18 11:49:20 2011: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS > read failed > Mon Apr 18 11:49:20 2011: INFO: Access rejected for troes...@uiowa.edu: EAP > PEAP TLS read failed > Mon Apr 18 11:49:20 2011: DEBUG: Packet dump: > *** Sending to 160.36.188.8 port 60075 .... > Code: Access-Reject > Identifier: 8 > Authentic: <182><255><27>k<254><14><206>A^ca<244>=<5><131>r > Attributes: > Reply-Message = "Request Denied" > -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
