Failure with "TLS authentication" and "Freeradius on Fefora-17"
Ajay Garg
ajaygargnsit at gmail.com
Wed Jan 9 07:15:33 CET 2013
John,
I changed the sequence in step b) of "SERVER-SIDE" as ::
su -
rm /etc/raddb/modules/dhcp_sqlippool
cd /etc/raddb/certs
make destroycerts
make
make client
cp client.p12 /home/ajay
cp ca.pem /home/ajay
chmod 0644 /home/ajay/client.p12
chmod 0644 /home/ajay/ca.pem
chown ajay.ajay
/home/ajay/client.p12
chown ajay.ajay /home/ajay/ca.pem
However, I get the exact same earlier dreaded logs :(
On Wed, Jan 9, 2013 at 8:29 AM, John Dennis <jdennis at redhat.com> wrote:
> On 01/08/2013 03:53 PM, Ajay Garg wrote:
>
>>
>>
>> On Tue, Jan 8, 2013 at 6:45 PM, John Dennis <jdennis at redhat.com
>> <mailto:jdennis at redhat.com>> wrote:
>>
>> On 01/08/2013 05:10 AM, Ajay Garg wrote:
>>
>> Could you please specify the order of scripts to be run, so that
>> proper
>> certificates may be generated - both for the server, and the
>> client? :P
>>
>>
>> You were given the answer. It's not just a matter of running the
>> scripts it also requires knowing what the scripts output and how to
>> configure *both* the client and the server with the script output.
>>
>> You've never explained what you're doing in any detail, especially
>> with regard to where you're generating the client cert. In a
>> previous email I explained what the server needs and what the client
>> needs. Now you're going to have to put that information to use. You
>> really do have to invest the energy into learning how the pieces fit
>> together.
>>
>>
>> Ok.. so here goes what I have been wanting to accomplish :P
>>
>>
>> ROUTER-SIDE ::
>> ===========
>>
>> a)
>> Configure the router to do WPA/WPA2-Enterprise authentication.
>>
>> b)
>> The authentication is to be done via a freeradius-server.
>>
>> c)
>> I connect a wired-cable between the router and the
>> freeradius-server-machine, to have a physical medium via which the
>> router and the server may talk.
>>
>>
>> SERVER-SIDE ::
>> ===========
>>
>> a)
>> Freeradius-server is running on Fedora-17 (freeradius-2.2.0-0.fc17.i686)
>>
>> b)
>> After installing freeradius, the certificates are generated via (on
>> Fedora-17 machine) ::
>>
>> su -
>> rm /etc/raddb/modules/dhcp_**
>> sqlippool
>> cd /etc/raddb/certs
>> make destroycerts
>> make
>> make client
>> chmod 0644 client.p12
>> chmod 0644 ca.pem
>>
>> c)
>> Now, the freeradius is started on the Fedora-17 machine as ::
>>
>> sudo /usr/sbin/radiusd -X &
>>
>> Server runs fine.
>>
>>
>>
>> CLIENT-SIDE ::
>> ===========
>>
>> a)
>> THE SAME FEDORA-17 MACHINE ACTS AS THE CLIENT TOO :)
>>
>> b)
>> Now, from the gnome-panel applet, I try connecting to the WPA/WPA-2
>> Enterprise network, by setting the following settings ::
>>
>> Wireless Security
>> : WPA/WPA2-Enterprise
>> Authentication
>> : TLS
>> Identity
>> : Anonymous
>> User Certificate
>> : /etc/raddb/certs/client.p12
>> CA Certificate
>> : /etc/raddb/certs/ca.pem
>> Private Key
>> : /etc/raddb/certs/client.p12
>> Private Key Password
>> : whatever
>>
>>
>> c)
>> I click the "Connect" button.....
>>
>>
>>
>> and then the dreaded logs happen :(
>>
>
> Thank you, that is a much clearer explanation.
>
> The first thing I notice is you're pointing the client to files in a
> directory owned by the server. Everything from /etc/raddb and below is
> readable only by root:radiusd for security reasons (you don't want to
> expose the configuration of an authentication server to the world).
>
> I suspect the code which reads the client cert files is running under your
> uid and is not a process with root privileges thus it can't read the cert
> files. I would try copying the client cert files to an alternate location,
> reset their permissions and try again.
>
>
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
--
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130109/b65a18ce/attachment.html>
More information about the Freeradius-Users
mailing list