Problems with CA using PEAP/TTLS
Alan DeKok
aland at deployingradius.com
Tue Oct 11 22:45:58 CEST 2016
On Oct 11, 2016, at 4:28 PM, dump at gmx.info wrote:
>
> I'm using freeradius 2.2.5 on debian for authentication of wireless
> access.
You should upgrade to 3.0.12. It may help.
> The problem is that authenticating clients (I'm using PEAP/TTLS)
> works only if the CA-certificate is ignored by the client side.
Which means that the client doesn't have the CA installed.
> When
> trying to authenticate the clients using the CA in Network-Manager the
> authentication fails. The server certificate of freeradius is correctly
> signed and the public CA is selected at the clients (linux using
> Network-Manager).
Ask the Network-Manager people why their software is broken. :(
> Is there a possibility to catch the server certificate on the client
> side after the transfer to the client. And then checking this server
> certificate signature against the locally installed CA-certificate by
> hand? For example using tcpdump?
Use eapol_test.
http://deployingradius.com/scripts/eapol_test/
Alan DeKok.
More information about the Freeradius-Users
mailing list