Well looks like from this point it maybe NetworkManager and how it deals with the certs. Using wpa_supplicant I am able to connect using the WPA_SUPPLICANT_CONFIG block below. Once I get everything sorted out I will redo the certs. However, I dont get why this is not working with NetworkManager. That will be for another forum I guess. I am curious though if my traffic is now encrypted ( even though the certs are just the snake-oil certs) when connecting using wpa_supplicant outside of network manager. WPA_SUPPLICANT CONFIG : ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="trunk2" scan_ssid=1 key_mgmt=WPA-EAP pairwise=TKIP CCMP group=TKIP CCMP eap=TLS identity="user@example.org" ca_cert="/home/loper/NetworkManager_CERTS/ca.pem" client_cert="/home/loper/NetworkManager_CERTS/user.pem" private_key="/home/loper/NetworkManager_CERTS/client.key" private_key_passwd="whatever" eapol_flags=3 } Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Sun, Feb 7, 2016 at 12:17 PM, John Teasley <ollieteasley@gmail.com> wrote:
Thanks again Alan. Looks like I had a ton of typos in the test config. Wow. Sorry I wasted your time with this one. Must have been staring at it to long or something. Thanks again. I guess now I can read up setting up a better way to manage all the certs!
NEW RESULTS :
EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): d8 6e 87 d3 3c 12 2e b8 83 21 72 3b cd c0 ae c2 8a 9a 4a 6c 28 62 2d 25 f4 22 b2 2c 3e c3 18 92 EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 2 mismatch: 0 SUCCESS
Ollie Teasley Linux Administrator ISMELL.SHOES, LLC
On Sat, Feb 6, 2016 at 9:53 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 6, 2016, at 9:22 PM, John Teasley <ollieteasley@gmail.com> wrote:
Thanks for the reply Alan! Made all the changes you indicated. However, I am still having issues. Also, is it required to run a proxy if I only use the radius host? This is just for a small home lab. Please see below results. I really appreciate the help.
It's what I do, despite what some people think. :)
Also, while I can build from source, would doing so fix this? It seems more like something I have done wrong. A rebuild would just reflect the same misconfigurations if that is what the issue is.
Again, a careful reading of the output is useful:
From eapol_test:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib
You need to be sure that the certificate exists. Check the path in the eapol_test configuration file.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html