Failure with "TLS authentication" and "Freeradius on Fefora-17"

Wed Jan 9 03:59:13 CET 2013

On 01/08/2013 03:53 PM, Ajay Garg wrote:
>
>
> On Tue, Jan 8, 2013 at 6:45 PM, John Dennis <jdennis at redhat.com
> <mailto:jdennis at redhat.com>> wrote:
>
>     On 01/08/2013 05:10 AM, Ajay Garg wrote:
>
>         Could you please specify the order of scripts to be run, so that
>         proper
>         certificates may be generated - both for the server, and the
>         client? :P
>
>
>     You were given the answer. It's not just a matter of running the
>     scripts it also requires knowing what the scripts output and how to
>     configure *both* the client and the server with the script output.
>
>     You've never explained what you're doing in any detail, especially
>     with regard to where you're generating the client cert. In a
>     previous email I explained what the server needs and what the client
>     needs. Now you're going to have to put that information to use. You
>     really do have to invest the energy into learning how the pieces fit
>     together.
>
>
> Ok.. so here goes what I have been wanting to accomplish :P
>
>
> ROUTER-SIDE ::
> ===========
>
> a)
> Configure the router to do WPA/WPA2-Enterprise authentication.
>
> b)
> The authentication is to be done via a freeradius-server.
>
> c)
> I connect a wired-cable between the router and the
> freeradius-server-machine, to have a physical medium via which the
> router and the server may talk.
>
>
> SERVER-SIDE ::
> ===========
>
> a)
> Freeradius-server is running on Fedora-17 (freeradius-2.2.0-0.fc17.i686)
>
> b)
> After installing freeradius,  the certificates are generated via (on
> Fedora-17 machine) ::
>
>                                         su -
>                                         rm /etc/raddb/modules/dhcp_sqlippool
>                                         cd /etc/raddb/certs
>                                         make destroycerts
>                                         make
>                                         make client
>                                         chmod 0644 client.p12
>                                         chmod 0644 ca.pem
>
> c)
> Now, the freeradius is started on the Fedora-17 machine as ::
>
>                                         sudo /usr/sbin/radiusd -X &
>
> Server runs fine.
>
>
>
> CLIENT-SIDE ::
> ===========
>
> a)
> THE SAME FEDORA-17 MACHINE ACTS AS THE CLIENT TOO :)
>
> b)
> Now, from the gnome-panel applet, I try connecting to the WPA/WPA-2
> Enterprise network, by setting the following settings ::
>
>                                          Wireless Security
> :             WPA/WPA2-Enterprise
>                                          Authentication
> :             TLS
>                                          Identity
> :             Anonymous
>                                          User Certificate
> :             /etc/raddb/certs/client.p12
>                                          CA Certificate
> :            /etc/raddb/certs/ca.pem
>                                          Private Key
> :             /etc/raddb/certs/client.p12
>                                          Private Key Password
> :             whatever
>
>
> c)
> I click the "Connect" button.....
>
>
>
> and then the dreaded logs happen :(

Thank you, that is a much clearer explanation.

The first thing I notice is you're pointing the client to files in a 
directory owned by the server. Everything from /etc/raddb and below is 
readable only by root:radiusd for security reasons (you don't want to 
expose the configuration of an authentication server to the world).

I suspect the code which reads the client cert files is running under 
your uid and is not a process with root privileges thus it can't read 
the cert files. I would try copying the client cert files to an 
alternate location, reset their permissions and try again.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/