OS X Mavericks not connecting to Debian FreeRADIUS
Hello, I'm trying to configure a FreeRADIUS server (Version 2.1.12) on computer running Debian Linux (Raspbain), and I'm trying to connect to it with a Mac laptop running OS X Mavericks (10.9). I'm using the EAP-TLS Wireless WPA2-Enterprise SSL certificate method, but the Mac refuses to connect to the server, usually saying "Invalid password." The server seems to be functioning properly, when I run the "freeradius -X" command I get the "Ready to process requests" message and the error log does not log anything when I try to connect. I'm relatively sure that the certificates have been created and installed properly into the server and Mac OS X keychain, I'm allowed to select the client certificate from a pull-down menu when I try to configure the networking in the OS X Networking preferences, but the computer doesn't actually end up connecting to the network. I have created the certificates on the Linux side using ssl commands. Question #1: Do I need an entry in the FreeRADIUS config files for each individual client computer I'm trying to connect to, such as in the "users" file or "acct_users" file? What would I put into those files if I needed to put something? Instructions that I have seen suggest that I don't need to specify such information as long as the certificates have been created and implemented properly. I did get a prompt for the certificate password when I put the certificate into the OS X keychain and I did enter that properly. Also I was sure to name the "common name" of the certificate something unique and relevant. Question #2: In the EAP-TLS section of the "eap.conf" config file there is the "private_key_password" variable, and some instructions have told me just to comment that out.. I have also tried to use certificate passwords and also challenge passwords that were specified for the certificates, but I still get the same "Invalid Password" message on the OS X client no matter what I try to do with that. What is the best setting I should use for that? Question: #3: Elsewhere I have seen instructions for using XML configuration profiles for setting up the networking on Mac computers, but I would rather not deal with that right now and instead I would like to just create and install the certificates manually to get the most basic setup running.. Presumably it is not mandatory to use that XML method with Mavericks for the certificates although please correct me if I am wrong. I can provide whatever information is necessary, such as log files or the SSL commands I have used to create the certificates, ect.. Thank you for your help!
Hi,
I'm trying to configure a FreeRADIUS server (Version 2.1.12) on computer running Debian Linux (Raspbain), and I'm trying to connect to it with a Mac laptop running OS X Mavericks (10.9). I'm using the EAP-TLS Wireless WPA2-Enterprise SSL certificate method, but the Mac refuses to connect to the server, usually saying "Invalid password." The server seems to be functioning properly, when I run the "freeradius -X" command I get the "Ready to process requests" message and the error log does not log anything when I try to connect.
if you see nothing in debug mode....as you state...then the RADIUS requests arent getting to your server. so check your netwok settings, check the server firewall, check network ACLs , routing and your wireless/switch configurations. also, 2.1.12? thats just so totally obsolete. use at LEAST 2.2.x - and think about using version 3 for a new deployment.
Question #1: Do I need an entry in the FreeRADIUS config files for each individual client computer I'm trying to connect to, such as in
no. just for each NAS. entries for NAS go into clients.conf - but if thats not got an entry, you'll stiul have 'unknown client' being printed out in debug mode
Question #2: In the EAP-TLS section of the "eap.conf" config file there is the "private_key_password" variable, and some instructions have told me just to comment that out.. I have also tried to use
does your server cert have a password? if so, ensure its put in there correctly.
Question: #3: Elsewhere I have seen instructions for using XML configuration profiles for setting up the networking on Mac computers, but I would rather not deal with that right now and instead I would like to just create and install the certificates manually to get the most basic setup running.. Presumably it is not mandatory to use that XML method with Mavericks for the certificates although please correct me if I am wrong.
.mobileconfig files are the defacto way to configure OSX systems since Lion was released. users cannot manually configure their 802.1X settings. if the RADIUS CA file is known (and is private) to the system and you are using EAP-TLS and have a user certificate installed then the user can choose that identity....EAP-TLS is nice that way. if using PEAP or EAP-TTLS then you really want to ensure that the client is configured correctly with all the required RADIUS server CA and CN trust settings done properly as otherwise the client could be talking to any RADIUS server behind a malicious AP providing same SSID :/ also....latest OSes are far more fussy about certificates...need SHA-1 or above CA/server certs, (2.1.x was in the days of MD5....) and larger DH keys for latest forthcoming releases (2.1.x was 256 or 512 bit?) alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Edward Ulrich