Freeradius2 and OSX clients no TLS

Luke Hammond luke at dezignbrasil.com
Sat Mar 5 19:27:14 CET 2011


Cool, well if you need that part, i have Coovachilli running quite 
nicely..  I thought that Freeradius had its own captive portal, but 
couldnt see any way to get it working

On 5/03/2011 3:08 PM, Guy wrote:
> That comes later! :)
>
> --Guy
>
> On 5 Mar 2011, at 17:56, Luke Hammond wrote:
>
>> Ahh ok. thanks. THought you were talking about a captive portal.
>>
>> On 5/03/2011 2:39 PM, Guy wrote:
>>> it wasn't Freeradius providing the login window, it was OSX... trying to logon to the WiFi Network
>>>
>>> --Guy
>>>
>>> On 5 Mar 2011, at 17:26, Luke Hammond wrote:
>>>
>>>> Just a side question, how did you get Freedradius to give you a login window? i tried this and couldn't see how to get it to work.. so had to use another portal for this.
>>>>
>>>>
>>>> On 5/03/2011 2:10 PM, Gary Gatten wrote:
>>>>> FR just does what its told. I think the settings need to be changed on your wireless gear.
>>>>>
>>>>> ----- Original Message -----
>>>>> From: Guy [mailto:guy at britewhite.net]
>>>>> Sent: Saturday, March 05, 2011 10:46 AM
>>>>> To: freeradius-users at lists.freeradius.org<freeradius-users at lists.freeradius.org>
>>>>> Subject: Freeradius2 and OSX clients no TLS
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working.  my iPhone/iPad are able to authenticate and connect via the base station.  However my Mac (OSX 10.6 Snow leopard) Laptops are having issues.
>>>>>
>>>>> I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients.
>>>>>
>>>>> When the laptop attempts to join the network I get a nice login window, with username/password. This is fine.  However without playing with the network settings (802.1x settings).  I'm not able to join the network because I do not have a client Cert:
>>>>>
>>>>> Sat Mar  5 16:21:28 2011 : Error: -->    verify error:num=19:self signed certificate in certificate chain
>>>>> Sat Mar  5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA
>>>>> Sat Mar  5 16:21:28 2011 : Error:     TLS_accept:error in SSLv3 read client certificate B
>>>>> Sat Mar  5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>>>> Sat Mar  5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
>>>>> Sat Mar  5 16:21:28 2011 : Auth: Login incorrect: [guy/<via Auth-Type = EAP>] (from client extreme port 0 cli 00-19-E3-E1-BA-C5)
>>>>>
>>>>>
>>>>> However if I do change the 802.1x settings on the mac to not try and to TLS then I'm able to connect just fine.  either by PEAP, or TTLS..
>>>>>
>>>>> So finally my question... How can I reconfigure Radius to not try and offer TLS or if it does offer TLS to not die if a cert is not presented??
>>>>>
>>>>> I have tried some suggestions such as commenting out the CA in the eap.conf file, but still I fail to pass the TLS.
>>>>>
>>>>> Thanks
>>>>>
>>>>> - ---Guy
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>>>>>
>>>>> iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT
>>>>> zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L
>>>>> =JyX7
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> <font size="1">
>>>>> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
>>>>> </div>
>>>>> "This email is intended to be reviewed by only the intended recipient
>>>>>   and may contain information that is privileged and/or confidential.
>>>>>   If you are not the intended recipient, you are hereby notified that
>>>>>   any review, use, dissemination, disclosure or copying of this email
>>>>>   and its attachments, if any, is strictly prohibited.  If you have
>>>>>   received this email in error, please immediately notify the sender by
>>>>>   return email and delete this email from your system."
>>>>> </font>
>>>>>
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list