I have thrown away that environment because it was debian using 2.x, which is apparently not recommended for new deployments I have set up ubuntu running 3.0.11 instead, and I have generated certs using my own CA, along with make server make client If I use eapol_test with these certs, I can successfully auth with PEAP, TLS configurations, but when I try to import the client .crt in apple configurator 2, or the .p12, I am unable to authenticate using PEAP, TLS, or TTLS with my macbook running OS X 10.11 through my WAP after generating a pfx with: openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile ca.crt I am unable to select client.pem or client.crt as a client certificate in my configuration for TLS. The error I get running /usr/sbin/freeradius -fxx -l stdout for this connection appears to indicate I don't have a good cert: (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xe86272eeeb667f10 (9) eap: Finished EAP session with state 0xe86272eeeb667f10 (9) eap: Previous EAP request found for state 0xe86272eeeb667f10, released from the list (9) eap: Peer sent packet with method EAP TLS (13) (9) eap: Calling submodule eap_tls to process data (9) eap_tls: Continuing EAP-TLS (9) eap_tls: Peer indicated complete TLS record size will be 7 bytes (9) eap_tls: Got complete TLS record (7 bytes) (9) eap_tls: [eaptls verify] = length included (9) eap_tls: <<< recv TLS 1.0 Alert [length 0002], warning close_notify (9) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (9) eap_tls: ERROR: SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure (9) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session failed (9) eap_tls: ERROR: TLS receive handshake failed during operation (9) eap_tls: ERROR: [eaptls process] = fail (9) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 4 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject On Sun, Sep 25, 2016 at 7:46 PM Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Sep 23, 2016 at 07:20:29PM +0000, Peter Lesko wrote:
I'm having a similar issue to the one described here:
http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-td...
Currently, I can auth with just a signed cert, or just username/password
I would like to enforce both, but I have been unable to determine the correct keywords/config after reading many forum posts, in addition to
the
comments provided in the default configuration
Just check your client's supplicant capabilities first.
Many can't do this at all. For example I am not aware of any version of Windows where this will work. One or the other, yes. Both, no.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html