On Nov 23, 2017, at 3:38 PM, Oliver Tollning <oliver@tollning.com> wrote:
Alright, I took your suggestions to heart and installed ubuntu+freeradius 3.0 from scratch.
That's good...
configured the users and clients configs so that I can connect.
Testing with peap: Access-Accept. OK
Then used the CA.pl with -newca -newreq-nodes -sign
The server comes with scripts to create certs. See raddb/certs/
Made a dh file and copied the random with dd to another folder for easier access
eap.conf eap default_eap_type = peap
tls-config tls-common put in the key file, certificate file, dh file, random file and ca file
ca_path =/etc/freeradius/3.0/eap/eapCA/
then enabled verify { tmpdir = /etc/freeradius/3.0/tmp client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" }
Which runs the external verification command... if there's a client certificate.
no change in peap peap { tls = tls-common .... }
Now if I start freeradius -X and connect I still get an Access-Accept even though my client doesnt have the correct client certificate (because I never created it).
That's exactly how it's supposed to work. You didn't tell the server to require a client certificate. So it didn't.
And if I scroll up in the debug mode I get a eap_peap: [eaptls verify] = ok
Why does my server not verify the client correctly (or at all)
The server doesn't magically know that PEAP is supposed to have a client certificate. You have to tell it. Put this into the "authorize" section of raddb/sites-enabled/default: update control { EAP-TLS-Require-Client-Cert = Yes } It's what I told you to do in a message a few days ago. Following instructions helps you solve problems. Alan DeKok.