PS, 2.2.9 is not released yet; it was supposed to be released beginning of september but got jumped AFAIK due to time constraints or still some bugs open. On Thu, Sep 24, 2015 at 7:15 PM, Rohan Mahy <rohan.mahy@gmail.com> wrote:
Hi Alan,
Thanks for the advice. Arran's intuition was correct (as I also suspected). As soon as I found out how to turn on debugging on the supplicant I saw that it did not like the server certificate. I am now looking for some kind of guide about what format the CN/SubjectAltName etc. need to be in certs for 802.1x for Apple to be happy with them.
Sep 23 12:00:24.045540 Spare-MacBook-Air.local eapolclient[540]: Receive Size 472 Type 0x888e From 2:18:5a:1d:ae:3 Sep 23 12:00:24.045726 Spare-MacBook-Air.local eapolclient[540]: EAP Request: EAP type 21 Sep 23 12:00:24.071564 Spare-MacBook-Air.local eapolclient[540]: [eapttls_plugin.c:969] eapttls_verify_server(): server certificate not trusted status 6 0 Sep 23 12:00:24.071763 Spare-MacBook-Air.local eapolclient[540]: Transmit Size 21 Type 0x888e To 2:18:5a:1d:ae:3 Sep 23 12:00:24.071908 Spare-MacBook-Air.local eapolclient[540]: en0 EAP-TTLS: authentication failed with status 6 Sep 23 12:00:24.072062 Spare-MacBook-Air.local eapolclient[540]: set_msk 0
On Wed, Sep 23, 2015 at 11:44 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I am trying to debug an EAP-TTLS handshake problem between FreeRADIUS 2.2.4 with OpenSSL 1.0.1f and Mac OS X 10.10.5 and 10.9.5. The Macs are using
old. upgrade your FR
b) FreeRADIUS/OpenSSL and these versions of Mac OS X can all do TLS 1.2. Does the text "TLS 1.0 Handshake" in the log really mean that it is only using TLS 1.0 instead of TLS 1.2?
yes. FR 2.2.4 doesnt do TLS 1.2 - 2.2.9 does
ok. I will probably upgrade to 3.0.9 in a week or two.
c) There is a message in the log "TLS_accept: failed in SSLv3 read client certificate A". Does this mean that there was a client certificate presented by the client? (there shouldn't be a client cert at all)
how is the OSX device configured?
Im attaching the .mobileconfig file. OSX is configured to use EAP-TTLS + PAP, the server cert CN is wifi.remind.com and is signed by our self-signed CA cert. Both of these are in the mobileconfig file and WiFi profile says to expect wifi.remind.com. as a Trusted Name for 802.1x from this WiFi network. :-\
d) Does anyone have any other suggestions to make this work? I already tried setting the cipher_list to well used ciphers that the Macs generally like ('AES+aRSA') and got the same result. (The trace below is with the default cipher_list).
works with DEFAULT. unless you want to start playing client compatibility issue and need to remove eg DH methods or DES methods from the list I wouldnt touch it (that particular combo only allows TLS1.2 and a few SSLv3 methods
dh_file = ${certdir}/dh
how big is that dh key? must be 1024 or bigger
1024
openssl dhparam -in dh -text -noout
ttls { default_eap_type = md5
md5? really? I'm sure you want that to be mschapv2 for your systems. dont think OSX will renegotiate.
I need PAP inside the EAP-TTLS, because I need to proxy the PAP request to a PAP-only RADIUS server. EAP-MD5 is actually disabled, but I found I still need a non-TLS default_eap_type inside the ttls block. As we are not getting far enough to worry about that (and it works on Windows and Android), I am not too worried about that.
Thanks, -rohan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html