Ryan A. Krenzischek wrote:
Greetings!
I am at a road block here. I know setting up WPA2 Enterprise PEAPv0/EAP-MSCHAPv2 / 802.1X should be simple. It just isn't working! Perhaps I am suffering from green screen syndrome :)
I have followed directions from: http://tldp.org/HOWTO/html_single/8021X-HOWTO/
Ugh. That document is almost 6 years old.
Aside from mschap being in the <etcdir>/raddb/modules directory and needing to enable mppe, the instructions are fairly straight forward.
How about http://freeradius.org/doc/ ? Or the comments in the "man" page, and in raddb/eap.conf? After 10 years of doing this, I still don't understand why people ignore the documentation that ships with the server, and instead read random sites on the net.
The certificates are generated from our certificate store. I'm trying a less complicated set up before moving on to OpenLDAP/Kerberos. During the build process, I made sure that OpenSSL was available. LDD shows that it is linked:
ldd output is not useful. The FAQ and docs don't ask for it.
The client computers are laptops running OpenSUSE 11.2 x86_64. Knetworkmanager is being used to configure the wireless security. the settings are:
The FAQ and docs don't ask for that, either.
The "users" file contains:
billgates User-Password := "98502"
This is a config for 1.x. See the FAQ for how to correctly set a password for a user. Look for "bob".
What I get on the test laptop in wpa_supplicant:
Associated with 00:00:00:c0:ff:ee CTRL-EVENT-EAP-STARTED EAP Authentication started OpenSSL: tls_connection_ca_cert - Failed to parse ca_cert_blob error:0D0680A8:ASN1 encoding routines: ASN1_CHECK_TLEN:wrong tag openSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error TLS: Failed to set TLS connection parameters EAP-PEAP: Failed to initialize SSL.
Well... the certificate seems to be malformed.
Debug Output:
*That* is exactly what we need.
rad_recv: Access-Request packet from host 1.2.3.4 port 1812, id=157, length=101 ... EAP-Message = 0x027800060300
The supplicant is doing EAP.
[eap] EAP NAK [eap] NAK asked for bad type 0 [eap] Failed in EAP select ++[eap] returns invalid
That seems clear enough. The supplicant doesn't like the EAP type proposed by the server, and is asking for another method. But it's asking incorrectly. See my page for how to configure EAP. It includes step by step directions, and it *works*: http://deployingradius.com I suspect that the problem is with the certificates. DON'T start with certs that may or may not work with RADIUS. DO start with the "test" certs generated when the server first starts. Alan DeKok.