Denis Iskandarov wrote:
I really appreciate your help but i can't understand some things. okey, let me ask some questions based on your very first answer. So suplicant sending some wrong packet. or something wrong withs it certificate?
Possibly.
AP configured to use EAP-TLS and "passthrough" all eap requests to my freeradius. Client has it's client certificate.
You've said that a lot. There's no need to repeat it.
i've generated 3 certificates with OpenSSL: cacert.pem server-keycert.pem and client-keycert.pem (with xpextensions, but this is optional for xp clients). ca and server certs seems to be working coz TTLS is working fine.
Did you use the scripts in raddb/certs to create the certificates? If no, why not? Those scripts work, and create certificates that work.
The supplicant is broken. It's sending an EAP-Identity field with no data:
where "EAP-Identity field" is generated? what have i to check ?
It's generated by the supplicant. I said this already.
Other question, should this lines be uncommented: check_cert_issuer = "/C=ZZ/ST=Yyyyy/L=yyyyy/O=Xxx" or check_cert_cn = %{User-Name}
or those are optional and by default some other fields are used for authentication?
This is all documented in the comments in eap.conf, and the various EAP-TLS "howtos".
also. what should i insert in user.conf (in daloRADIUS db in my case)... which user or password should be used. Or TLS is not used with database and i can't track WiFi link users with EAP-TLS through db and daloRADIUS?
TLS doesn't use passwords. This is how TLS works, and is documented in many places. i.e. FreeRADIUS includes documentation on RADIUS. It doesn't describe how EAP-TLS works, how how certificates are created. That is *other* software, written by *other* people. Alan DeKok.