On Oct 11, 2016, at 4:28 PM, dump@gmx.info wrote:
I'm using freeradius 2.2.5 on debian for authentication of wireless access.
You should upgrade to 3.0.12. It may help.
The problem is that authenticating clients (I'm using PEAP/TTLS) works only if the CA-certificate is ignored by the client side.
Which means that the client doesn't have the CA installed.
When trying to authenticate the clients using the CA in Network-Manager the authentication fails. The server certificate of freeradius is correctly signed and the public CA is selected at the clients (linux using Network-Manager).
Ask the Network-Manager people why their software is broken. :(
Is there a possibility to catch the server certificate on the client side after the transfer to the client. And then checking this server certificate signature against the locally installed CA-certificate by hand? For example using tcpdump?
Use eapol_test. http://deployingradius.com/scripts/eapol_test/ Alan DeKok.