On Apr 14, 2019, at 7:18 PM, rbbhill@gmail.com wrote:
Hi all, thanks for your help in advance. I have spent the last week trying to solve this issue, I have read and read all information I can find. I have set up a raspberry pi 3, with freeradius 3.0 and openssl. For the freeradius I have followed the guides by each detail in full, the only exception is replacing etc/raddb with etc/freeradius/3.0. The freeradius server is set up and running and I have completed testing with local host using radtest and eapol. Test results:
OK.
PAP Localhost = Ok, passes - used radtest bob hello localhost 0 testing123
EAP (using EAPOL) PEAPv0_EAP-MSCHAPv2 = Ok, Passes EAP-TTLS_EAP-MSCHAPv2 = Ok, Passes
That's good.
Good so far, next I edit EAPOL test scripts to uncomment so as to use the test certs for testing. The only thing I changed here was /etc/raddb/certs/ca.der to /etc/freeradius/3.0/certs/ca.der so as to point test utility to the correct directory.
Sure.
EAP (using EAPOL with cert check uncommented) PEAPv0_EAP-MSCHAPv2 = Fails, TLS Alert read:fatal:unknown CA EAP-TTLS_EAP-MSCHAPv2 = Fails, TLS Alert read:fatal:unknown CA
That means you haven't told eapol_test what the CA cert is. The eapol_test configuration file *should* point to the correct CA file. If that's done, then the "unknown CA" error should go away.
I followed deployingradius, and used make to build certs, they are all populated in the directory, but tests repeatedly fail. This same error comes up repeatedly across peap and ttls using cert:
Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: TLS Alert read:fatal:unknown CA Sun Apr 14 16:56:49 2019 : Debug: (9) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: Failed in __FUNCTION__ (SSL_read): ../ssl/record/rec_layer_s3.c[1407]:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
That's eapol_test telling FreeRADIUS that eapol_test doesn't like the CA cert being presented by FreeRADIUS. If this authentication isn't with eapol_test, then the same comment applies. Configure the supplicant to know about the CA cert used by FreeRADIUS.
Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: System call (I/O) error (-1) Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: TLS receive handshake failed during operation Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: [eaptls process] = fail Sun Apr 14 16:56:49 2019 : ERROR: (9) eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed
I am very new to radius, and I am trying to setup the server to test with some headless devices, and they need to be able to support PEAP, TLS, and TTLS with certs. I went as far as setting a completely identical server on another Pi and tried with production certificates, with same error. The only thing I notice different is that when I access the network with my iphone, the public cert it sends my iphone is completely different than any of the certs in /etc/freeradius/3.0/certs/.
Then the server isn't using /etc/freeradius/3.0/certs/, is it? READ the debug output. ALL OF IT. It will print out what files it's reading, including which certificates it's reading. Those are the certificates you need to use.
Verbose log: Sun Apr 14 16:55:58 2019 : Info: Ready to process requests
PLEASE read the documentation on what to post to the list. When you join the list, you get an email message telling to read the documentation. It includes a URL. PLEASE read it. http://wiki.freeradius.org/list-help Alan DeKok.