Hi Alan,
first steps. turn those back on - and configure them correctly as required (read firewalld and selinux docs as required).
Yes, those will be turned back on. They were turned off to isolate the FreeRADIUS issues I'm having.
you talk about EAP-TLS...but your post only mentioned doing basic PAP and PEAP test - please don't confuse terminology.. you havent tested a client cert yet - which is probably important if you ARE doing EAP-TLS....
I was just stepping through the DeployingRADIUS steps to show that I have a working system before attempting to test EAP-TLS again. I've tested PAP, EAP, and MS-CHAPv2 with the 'bob' test account on the current system, successfully. I've also gotten EAP-TLS to work with production certs on a prior build. Which leads me to...
what cert are you using? still a local one or a public one? I would advise keeping with local one....you talk about importing it to client, so that suggests its not one of the big public ones... good.
Funny you should mention that... I've gotten EAP-TLS working just fine with local production certs, previously, but I am trying to get this to work with some of the 'big ones' and that's hwere I hit a roadblock before. The server certificate that I was given is a wildcard (star.company.net) certificate from GoDaddy. The client certificates (we have about 65) are all e-mail/auth certificates from VeriSign. What do you see as the issue with using 3rd Party Certificates and FreeRADIUS? Are they not formatted in a standard way?
now you have a working system, start to comment/remove things out of it that you dont need - thinking PAP and plain CHAP etc methods. weak, insecure. use the permit_only_eap policy in your virtual server auth {} section to ensure only EAP requests are coming to it.
OK, that makes sense. Right now I'm using the default server, so I'll create a new file and make changes there. Today, I will be testing with our certs and will post the output. Thank you for your input and time Alan. I appreciate it. Thank You, Matthew On Thu, Aug 25, 2016 at 2:52 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
hi,
1. Installed/Configured CentOS 7 (CentOS7-x86_64-1511) a. Disabled SELinux b. Disabled firewalld
first steps. turn those back on - and configure them correctly as required (read firewalld and selinux docs as required).
Are there any steps I've missed? Do I need to keep the 'dh' in /certs/?
now you have a working system, start to comment/remove things out of it that you dont need - thinking PAP and plain CHAP etc methods. weak, insecure. use the permit_only_eap policy in your virtual server auth {} section to ensure only EAP requests are coming to it.
of course you need the DH file - its part of the process.
what cert are you using? still a local one or a public one? I would advise keeping with local one....you talk about importing it to client, so that suggests its not one of the big public ones... good.
you talk about EAP-TLS...but your post only mentioned doing basic PAP and PEAP test - please dont confuse terminology.. you havent tested a client cert yet - which is probably important if you ARE doing EAP-TLS....
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html