Hi, Greetings and Thanks... The setup is CentOS7 with FreeRADIUS on a VM. Connected to Google Secure LDAP. EAP Settings: EAP-TTLS-PAP (As you suggested it is working only with EAP-TTLS-PAP) Our W-Fi devices are Aruba IAPs and we are using the virtual controller. On Fri, 15 Oct 2021 at 16:25, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 15, 2021, at 2:42 AM, Thirunavukkarasu Palanisamy < drthiruna@tanuvas.org.in> wrote:
The client gets connected with RADIUS by disabling the CA validation.
That is entirely the wrong solution. Just configure the CA on the client.
Disabling CA validation means that the client will connect to *any* RADIUS server, and hand over the passwords. This is insecure, and very wrong.
I agree that CA validation is mandatory. I am using the default CA certificate.
But I am facing unique problem, that the clients gets connected only when I run the server in debug mode In debug mode the RADIUS shows that it is ready to process the requests. Any reason for this?
It was working fine, but recently I am facing an issue that the FreeRADIUS server processes the request only in debug mode. That is, it is accepting the request when the server is running in debug mode.
The default configuration works fine. So what did you change? I don't know, because you're very careful to not give any useful information.
Really I am not having any intentions like that. I'm sorry for this misunderstanding.
Does it to LDAP? AD? ntlm_auth? I have no idea. You do, but you're not saying.
Google Secure LDAP. EAP-TTLS-PAP The following are the few warning messages I noticed in the debug output. Not copied the entire debug output for easy review by the team. The entire debug attached as text file [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec '' found in filter list for realm "DEFAULT". *TLSMC: MozNSS compatibility interception begins.tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.TLSMC: MozNSS compatibility interception ends.TLS certificate verification: Error, unable to get local issuer certificate* eap_ttls: WARNING: Total received TLS record fragments (139 bytes), does not equal indicated TLS record length (0 bytes) WARNING: Outer and inner identities are the same. User privacy is compromised. I need help in this regard. From my understanding the server should be in debug mode for processing the requests. Our aim is implementing FreeRADIUS as a one stop solution for AAA and dynamic vlan. As of now I am working on dynamic vlan configuration in FreeRADIUS. VLANs based on G Suite OUs or groups. The OUs or groups are listed and assigned a VLAN in /etc/freeradius/3.0/mods-config/files/authorize Regards, *Thirunavukkarasu* -- _---------------------------------------------------------------------------------_ *_TANUVAS_* *The contents of this message are confidential and are not be shared with outside parties without prior permission*