Radius certificate login problem

Home Page Forums Network Management ZeroShell Radius certificate login problem

This topic contains 1 reply, has 0 voices, and was last updated by  dread_ire 6 years, 3 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #41627

    dread_ire
    Member

    I have Zeroshell running in a VM and I have it configured as a Radius server to authenticate my WiFi network. I am using EAP-TLS with certificates for the authentication and up till today it was working fine. I can authenticate with PEAP with no problem but when I try authenticating with the certificate I get this error:

    23:12:56 –> verify error:num=12:CRL has expired
    23:12:56 TLS Alert write:fatal:certificate expired
    23:12:56 TLS_accept:error in SSLv3 read client certificate B
    23:12:56 rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    23:12:56 rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
    23:12:56 Login incorrect: [marilee] (from client DD-WRT port 61 cli 001a73dd9777)

    I have renewed the client certificate and reimported it to the laptop but that had no effect. I don’t think the server certificate is broken because PEAP works fine. I don’t see anywhere to renew the CRL, other than to revoke and renew the CA certificate. Any help would be appreciated.

    One Final thing I did see in another post about problems with clock syncronization. So I checked the system clock and the Zeroshell VM clock and compared with the laptop and its all within a couple of seconds. So I don’t think there is a time problem.

    #48006

    I’ll never understand why anyone would use this encryption who doesn’t work for the government or an armed forces group.

    Certificate based authentication can get really tricky.
    First check your CRL in zeroshell.
    Check your host certificates valid NOT BEFORE:NOT AFTER DATES
    Check your dates and times on your test machines PC/Server
    Check your certificate stores to verify the certificates are installed in the right places
    Check for duplicates certificates with similar names that may cause conflicts
    Recreate your vpn connectoid with a different name
    Try unchecking simple certificate selection and specify your own during connection start
    Try unchecking Validate server certificate to identify if it’s a certificate challenge error

    EAP-MD5, LEAP, EAP-TLS, EAP-TTLS, PEAP are only fun to have when they’re working right.

    More information is needed to concentrate troubleshooting.

    #48007

    cdpearce
    Participant

    I know this is an old thread, but I recently experienced the same problem. I’m running 2.0.RC1.

    Examining the CRL showed that it had recently been renewed around the time that it started to be reported as expired. Somehow the renewal of the CRL did not get communicated to the running instance of the RADIUS server.

    I found the simplest workaround is to disable and then enable the RADIUS service, which I guess caused the renewed CRL to be read.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.