Freeradius, SQL, Certs and Newbie
Alan DeKok
aland at deployingradius.com
Wed Oct 2 20:20:18 CEST 2019
On Oct 1, 2019, at 10:21 PM, Daniel Zirkin <zirkin at hotmail.com> wrote:
>
> Good evening all. Perhaps I'm going overboard... I have two WAP's covering 3.5 acres. I'd rather not have neighbors/neer-do-wells accessing our network. I've setup a separate network for outside secured with Freeradius.
>
> I have Freeradius 3.0.19 up and running on Fedora 30. I am using Mariadb for account information. All is well.
That's good.
> I've come to realize that plaintext authentication even with WPA3/2ent isn't all that secure. Also, I'm trying to get a few IOT devices to connect. Phones and laptops all work well.
>
> I though perhaps adding client certs into the mix would tighten things up.
That should be fine.
> I've created them and I think configured things correctly.
>
> eapol_test -a127.0.0.1 -p1812 -s ******* -c /root/Documents/eapol_test-eaptls.conf
>
> gives me;
>
> MPPE keys OK: 1 mismatch: 0
> SUCCESS
>
> So now I can connect with certs or with a plaintext user/pass from sql. I can't seem to get it to require a cert then check the database for account info.
What did you tell it to do?
> What am I missing?
We have no idea what you did, so we can't give much in the way of advice.
Normally if you configure EAP-TLS with client certs, then anyone with a valid client cert is allowed access. What "account info" are you looking for in the DB? Passwords? If so, EAP-TLS doesn't use passwords.
Alan DeKok.
More information about the Freeradius-Users
mailing list