PEAP correct client certificate

Oliver Tollning oliver at tollning.com
Thu Nov 23 21:38:37 CET 2017


Alright, I took your suggestions to heart and installed ubuntu+freeradius 3.0 from scratch.

configured the users and clients configs so that I can connect.

Testing with peap: Access-Accept. OK

Then used the CA.pl with
-newca
-newreq-nodes
-sign

Made a dh file and copied the random with dd to another folder for easier access

eap.conf
eap  default_eap_type = peap

tls-config tls-common
put in the key file, certificate file, dh file, random file and ca file

ca_path =/etc/freeradius/3.0/eap/eapCA/

then enabled verify {
tmpdir = /etc/freeradius/3.0/tmp
client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}

no change in peap
peap {
tls = tls-common
....
}


Now if I start freeradius -X and connect I still get an Access-Accept even though my client doesnt have the correct client certificate (because I never created it).
And if I scroll up in the debug mode I get a
eap_peap: [eaptls verify] = ok

Why does my server not verify the client correctly (or at all)

Thanks for any input/help

Tweet



More information about the Freeradius-Users mailing list