I have configured the client to trust server certificate and installed the server certificate on client "Trusted Root CA certificate store" and still the same thing. Then I also unchecked the "validate server certificate" at the client, still cannot connect but see a different message at FreeRadius debug: (75) eap_peap : processing EAP-TLS (75) eap_peap : eaptls_verify returned 7 (75) eap_peap : Done initial handshake (75) eap_peap : eaptls_process returned 7 (75) eap_peap : FR_TLS_OK (75) eap_peap : Session established. Decoding tunneled attributes (75) eap_peap : Peap state send tlv failure (75) eap_peap : Received EAP-TLV response (75) eap_peap : The users session was previously rejected: returning reject (again.) (75) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output (75) eap_peap : *** to find out the reason why the user was rejected (75) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you (75) eap_peap : *** what went wrong, and how to fix the problem SSL: Removing session a38778fb8d95f898711428a550cca28f33c0704bedf61bf9cd5fb56bb744a8d8 from the cache (75) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed (75) eap : Failed in EAP select (75) [eap] = invalid (75) } # authenticate = invalid (75) Failed to authenticate the user (75) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [host/CCS-252.cfs.uoguelph.ca] (from client WLC2504 port 1 cli c4-8e-8f-f8-96-33) (75) Using Post-Auth-Type Reject (75) # Executing group from file /etc/raddb/sites-enabled/default (75) Post-Auth-Type REJECT { (75) attr_filter.access_reject : EXPAND %{User-Name} (75) attr_filter.access_reject : --> host/CCS-252.cfs.uoguelph.ca (75) attr_filter.access_reject : Matched entry DEFAULT at line 11 (75) [attr_filter.access_reject] = updated (75) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (75) [eap] = noop (75) remove_reply_message_if_eap remove_reply_message_if_eap { (75) if (&reply:EAP-Message && &reply:Reply-Message) (75) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (75) else else { (75) [noop] = noop (75) } # else else = noop (75) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (75) } # Post-Auth-Type REJECT = updated Now client does not validate server certificate now, does FR server need to validate client certificate? Thanks. Dennis ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Thursday, December 3, 2015 4:33:14 PM Subject: Re: Machine auth fails but user auth works On Dec 3, 2015, at 4:24 PM, Dennis Xu <dxu@uoguelph.ca> wrote:
In both user and machine auth cases, I use the same certificate installed on FreeRadius. I don't understand why machine auth complains the CA error, but no issues for user auth?
You have to enable the CA for each user / machine identity.
I don't use certificates on client machines and there is no special configuration about certificates in the machine auth case.
The client system still has to trust the RADIUS server. The *only* way to do this is to install the CA certificate on the client. Alan DeKok.