More freeradius fun - some clients not connecting
Chris Bradley
bradleyc at bcsc.k12.in.us
Tue May 21 15:24:45 CEST 2019
Hello everyone! Thanks for the help the other day.
I'm back to the original issue that I had that caused the servers to completely stop working the other day. All I did was stop the free radius service and tried running freeradius -X, honest. ;^)
So, here's the issue. I will explain the best I can.
We are K-12 educational and we're beginning to test re-imaging of our student computers. We have a wireless network for corporation owned staff devices to connect to and one for student devices to connect to. Each setup has two radius servers (for failover). Two for staff and two for students. We install the Security Certificates and the PIM/P12 files on the devices via our configuration management software. Then, a wireless network is setup via netsh to import a .xml wireless config. Haven't had any trouble with it until we started using our new image.
Some (not all - some work and some don't) of our re-imaged computers won't connect to our certificate based 802.1x networks. On the server, I'm seeing this error as I'm tailing the freeradius log:
Tue May 21 09:07:50 2019 : ERROR: (185581) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate
Tue May 21 09:07:50 2019 : ERROR: (185581) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
Tue May 21 09:07:50 2019 : Error: tls: TLS_accept: Error in SSLv3 read client certificate B
Tue May 21 09:07:50 2019 : Auth: (185581) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer certificate): [host/computername] (from client northwifi port 1696 cli B4-6B-FC-EC-66-34)
When clients connect properly, I get a line like this in the logs:
Tue May 21 09:18:27 2019 : Auth: (187309) Login OK: [host/bcscstucert-client] (from client northwifi port 737 cli AC-E0-10-BA-A0-B7)
The two clients are identical machines, the wireless networks and the certificates are installed the same exact way. So, why can some of them connect and some of them can't? Any ideas to check into?
Thanks! =)
Chris :o)
Bradley
Network Administrator
Bartholomew Consolidated School Corporation
bradleyc at bcsc.k12.in.us
More information about the Freeradius-Users
mailing list