Version 3.0.4 Centos 7 EAP-TLS : EAP failure
Alan DeKok
aland at deployingradius.com
Sun Feb 7 03:09:44 CET 2016
On Feb 6, 2016, at 8:45 PM, John Teasley <ollieteasley at gmail.com> wrote:
> I have been trying to freeRADIUS Version 3.0.4 worling with EAP-TLS for a
> while now.
Please don't. 3.0.11 was released recently. There are few reasons to use a version which is years out of date.
> I was able to get PAP working using the guide
> athttp://deployingradius.com/documents/configuration/pap.html.
> However,
> getting EAP-TLS to work has been a pain.
3.0.11 has a sample config for eapol_test in src/tests/eap-tls.conf. It should pretty much work.
> In my case I used the freeradius as installed by yum from the repos. Before
> doing the guide at the link posted below I built the certs in
> /etc/raddb/certs using make. No changes have been made to the .cnf files in
> the certs directory since this was a test. The eapol_test config is also
> posted below.
OK.
> I have used radius as installed on pfsense in the past. However, I now wish
> to have a standalone host to take care of this. I have spent 3 days trying
> to get this to work. I am at a complete loss as what is wrong or how to
> even find out at this point. I have already ran radius with radius -XX and
> am not seeing that I know how to change. I would greatly appreciate some
> help on this. The settings I have used are EXACTLY what i slisted in the
> links.
That's good...
> eapol_test configuration :
>
> network={
> ssid="TEST-SSID"
> eap=TLS
> eapol_flags=0
> key_mgmt=WPA-EAP
> identity="user at example.com"
Which is the problem. If you read the debug output, you'll see it proxying requests. You probably don't want to do that.
>
> (0) suffix : Looking up realm "example.com" for User-Name = "user at example.com"
> (0) suffix : Found realm "example.com"
> (0) suffix : Adding Stripped-User-Name = "user"
> (0) suffix : Adding Realm = "example.com"
> (0) suffix : Proxying request from user user to realm example.com
> (0) suffix : Preparing to proxy authentication request to realm "example.com"
> (0) [suffix] = updated
> (0) eap : Request is supposed to be proxied to Realm example.com. Not
> doing EAP.
Which is the issue.
Change the eapol_test config file to use example.org, and edit proxy.conf to add:
realm example.org {
}
Which says it's a local realm, and not to be proxied.
This change is also available in 3.0.11, which is one reason why we suggest using the latest versions.
Alan DeKok.
More information about the Freeradius-Users
mailing list