www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Radius certificate login problem

Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message

Joined: 11 Apr 2009
Posts: 1

PostPosted: Sat Apr 11, 2009 4:03 pm    Post subject: Radius certificate login problem Reply with quote

I have Zeroshell running in a VM and I have it configured as a Radius server to authenticate my WiFi network. I am using EAP-TLS with certificates for the authentication and up till today it was working fine. I can authenticate with PEAP with no problem but when I try authenticating with the certificate I get this error:

23:12:56 --> verify error:num=12:CRL has expired
23:12:56 TLS Alert write:fatal:certificate expired
23:12:56 TLS_accept:error in SSLv3 read client certificate B
23:12:56 rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
23:12:56 rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
23:12:56 Login incorrect: [marilee] (from client DD-WRT port 61 cli 001a73dd9777)

I have renewed the client certificate and reimported it to the laptop but that had no effect. I don't think the server certificate is broken because PEAP works fine. I don't see anywhere to renew the CRL, other than to revoke and renew the CA certificate. Any help would be appreciated.

One Final thing I did see in another post about problems with clock syncronization. So I checked the system clock and the Zeroshell VM clock and compared with the laptop and its all within a couple of seconds. So I don't think there is a time problem.
Back to top
View user's profile Send private message

Joined: 30 Aug 2008
Posts: 80

PostPosted: Thu May 07, 2009 2:38 am    Post subject: EAP-TLS Reply with quote

I'll never understand why anyone would use this encryption who doesn't work for the government or an armed forces group.

Certificate based authentication can get really tricky.
First check your CRL in zeroshell.
Check your host certificates valid NOT BEFORE:NOT AFTER DATES
Check your dates and times on your test machines PC/Server
Check your certificate stores to verify the certificates are installed in the right places
Check for duplicates certificates with similar names that may cause conflicts
Recreate your vpn connectoid with a different name
Try unchecking simple certificate selection and specify your own during connection start
Try unchecking Validate server certificate to identify if it's a certificate challenge error

EAP-MD5, LEAP, EAP-TLS, EAP-TTLS, PEAP are only fun to have when they're working right.

More information is needed to concentrate troubleshooting.
Back to top
View user's profile Send private message

Joined: 27 Jan 2012
Posts: 23

PostPosted: Sat Jan 12, 2013 2:02 am    Post subject: Reply with quote

I know this is an old thread, but I recently experienced the same problem. I'm running 2.0.RC1.

Examining the CRL showed that it had recently been renewed around the time that it started to be reported as expired. Somehow the renewal of the CRL did not get communicated to the running instance of the RADIUS server.

I found the simplest workaround is to disable and then enable the RADIUS service, which I guess caused the renewed CRL to be read.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB © 2001, 2005 phpBB Group