On Mar 8, 2017, at 12:19 PM, Rob Rutledge <robertrutledge2005@charter.net> wrote:
I am however having problems authenticating wireless clients on a Cisco 1142N autonomous access-point. I followed the instructions I found advising to set up open WEP authentication with EAP. The problem I am having is installing the certificates in the /etc/raddb/certs/ directory. The instructions I found advised to install the ca.der and client.p12 certificates on my wireless workstation, Windows 10 Pro. When I try to install the ca certificate I get the following window pops up:
The mailing list strips attachments. Only text is allowed.
The timer just keeps timing out and repeats itself until I disconnect the SSID and running FreeRADIUS in the debug mode I never see any activity in the debug outputs. Therefore I am to assume that the wireless client bridging through the ap is never even trying to talk to the FreeRADIUS server.
That looks like what's happening.
I can however change the encryption methods in the AP for this SSID and it will authenticate. I have to configure the encryption mode ciphers for the SSID VLAN in the radio configuration and then set up for key-management authentication wpa version 2 in the SSID configuration and the wireless client authenticates through the FreeRADIUS server. When I set it up this way though I am requested to enter username/password combination and accept the certificate ( I would assume this is the certificate from the server to be validated) before the connection process completes. What concerns me is that I see two warnings come up in the FreeRADIUS debug logs:
(33) WARNING: Outer and inner identities are the same. User privacy is compromised.
(33) pap: WARNING: Auth-Type already set. Not setting to PAP
Via this method I see that the Outer identity has the username I entered when I connected instead of anonymous.
That's set in the Windows 802.1X configuration. See the Windows UI for more details.
In addition I see that PEAP is being used for the authentication process in the debug logs:
(34) eap: Peer sent packet with method EAP PEAP (25)
(34) eap: Calling submodule eap_peap to process data
(34) eap_peap: Continuing EAP-TLS
(34) eap_peap: [eaptls verify] = ok
(34) eap_peap: Done initial handshake
(34) eap_peap: [eaptls process] = ok
(34) eap_peap: Session established. Decoding tunneled attributes
(34) eap_peap: PEAP state send tlv success
(34) eap_peap: Received EAP-TLV response
(34) eap_peap: Success
I believe a lot of this information is superfluous for the purposes of this post, but my main question would be why can't I install the certificates from the /certs/ directory?
I have no idea. I've tried to install certs on Windows repeatedly. Magically it works... magically it doesn't work. It's entirely opaque. Alan DeKok.