[help] Mikrotik WDS + WPA2-EAP TLS + FreeRadius = failure

[Alan DeKok]

Denis Iskandarov wrote:
> I really appreciate your help but i can't understand some things.
> okey, let me ask some questions based on your very first answer.
> So suplicant sending some wrong packet. or something wrong withs it certificate?

  Possibly.

> AP configured to use EAP-TLS and "passthrough" all eap requests to my
> freeradius.
> Client has it's client certificate.

  You've said that a lot.  There's no need to repeat it.

> i've generated 3 certificates with OpenSSL: cacert.pem
> server-keycert.pem and client-keycert.pem (with xpextensions, but this
> is optional for xp clients).
> ca and server certs seems to be working coz TTLS is working fine.

  Did you use the scripts in raddb/certs to create the certificates?  If
no, why not?  Those scripts work, and create certificates that work.

>> The supplicant is broken.  It's sending an EAP-Identity field with no
>> data:
> 
> where "EAP-Identity field" is generated? what have i to check ?

  It's generated by the supplicant.  I said this already.

> Other question, should this lines be uncommented:
>  check_cert_issuer = "/C=ZZ/ST=Yyyyy/L=yyyyy/O=Xxx"
>  or
>  check_cert_cn = %{User-Name}
> 
> or those are optional and by default some other fields are used for
> authentication?

  This is all documented in the comments in eap.conf, and the various
EAP-TLS "howtos".

> also. what should i insert in user.conf (in daloRADIUS db in my
> case)... which user or password should be used. Or TLS is not used
> with database and i can't track WiFi link users with EAP-TLS through
> db and daloRADIUS?

  TLS doesn't use passwords.  This is how TLS works, and is documented
in many places.

  i.e. FreeRADIUS includes documentation on RADIUS.  It doesn't describe
how EAP-TLS works, how how certificates are created.  That is *other*
software, written by *other* people.

  Alan DeKok.