Hi,
I'm trying to configure a FreeRADIUS server (Version 2.1.12) on computer running Debian Linux (Raspbain), and I'm trying to connect to it with a Mac laptop running OS X Mavericks (10.9). I'm using the EAP-TLS Wireless WPA2-Enterprise SSL certificate method, but the Mac refuses to connect to the server, usually saying "Invalid password." The server seems to be functioning properly, when I run the "freeradius -X" command I get the "Ready to process requests" message and the error log does not log anything when I try to connect.
if you see nothing in debug mode....as you state...then the RADIUS requests arent getting to your server. so check your netwok settings, check the server firewall, check network ACLs , routing and your wireless/switch configurations. also, 2.1.12? thats just so totally obsolete. use at LEAST 2.2.x - and think about using version 3 for a new deployment.
Question #1: Do I need an entry in the FreeRADIUS config files for each individual client computer I'm trying to connect to, such as in
no. just for each NAS. entries for NAS go into clients.conf - but if thats not got an entry, you'll stiul have 'unknown client' being printed out in debug mode
Question #2: In the EAP-TLS section of the "eap.conf" config file there is the "private_key_password" variable, and some instructions have told me just to comment that out.. I have also tried to use
does your server cert have a password? if so, ensure its put in there correctly.
Question: #3: Elsewhere I have seen instructions for using XML configuration profiles for setting up the networking on Mac computers, but I would rather not deal with that right now and instead I would like to just create and install the certificates manually to get the most basic setup running.. Presumably it is not mandatory to use that XML method with Mavericks for the certificates although please correct me if I am wrong.
.mobileconfig files are the defacto way to configure OSX systems since Lion was released. users cannot manually configure their 802.1X settings. if the RADIUS CA file is known (and is private) to the system and you are using EAP-TLS and have a user certificate installed then the user can choose that identity....EAP-TLS is nice that way. if using PEAP or EAP-TTLS then you really want to ensure that the client is configured correctly with all the required RADIUS server CA and CN trust settings done properly as otherwise the client could be talking to any RADIUS server behind a malicious AP providing same SSID :/ also....latest OSes are far more fussy about certificates...need SHA-1 or above CA/server certs, (2.1.x was in the days of MD5....) and larger DH keys for latest forthcoming releases (2.1.x was 256 or 512 bit?) alan