Problem with certificates on Version 3.0.12
Hello all, I have successfully installed and have running FreeRADIUS Version 3.0.12. I have been able to use PAP to authenticate fine with all my network devices, i.e. Cisco. I am however having problems authenticating wireless clients on a Cisco 1142N autonomous access-point. I followed the instructions I found advising to set up open WEP authentication with EAP. The problem I am having is installing the certificates in the /etc/raddb/certs/ directory. The instructions I found advised to install the ca.der and client.p12 certificates on my wireless workstation, Windows 10 Pro. When I try to install the ca certificate I get the following window pops up: When I try to install the client certificate this window pops up: It appeared that the .pem files installed as certificates, but when I try to authenticate to the SSID in question I get the following debug outputs in my Cisco AP: Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: client is added to the client list for application 0x1 Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: Created new client for application 0x1 Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: req->auth_type 0 Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: auth_methods_inprocess: 2 Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: eap list name: eap_methods Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: Start auth method EAP or LEAP Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth_dot1x: in the dot11_auth_dot1x_start Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_dot1x: Sending identity request to client Mar 8 10:49:03.265 CST: EAPOL pak dump tx Mar 8 10:49:03.265 CST: EAPOL Version: 0x1 type: 0x0 length: 0x003D Mar 8 10:49:03.265 CST: EAP code: 0x1 id: 0x1 length: 0x003D type: 0x1 06021490: 0100003D 0101003D 01006E65 74776F72 ...=...=..networ 060214A0: 6B69643D 42696742 616E675F 322C6E61 kid=BigBang_2,na 060214B0: 7369643D 74787765 61686F6D 78702D61 sid=txweahomxp-a 060214C0: 70313134 32303031 2C706F72 7469643D p1142001,portid= 060214D0: 30 0 Mar 8 10:49:03.266 CST: (0000.0000.0000): dot11_auth: sending data to requestor status 1 txweahomxp-ap1142001# Mar 8 10:49:03.266 CST: (0000.0000.0000): dot11_auth: Sending EAPOL to requestor Mar 8 10:49:03.266 CST: (0000.0000.0000): dot11_dot1x: Client timer started for 30 seconds The timer just keeps timing out and repeats itself until I disconnect the SSID and running FreeRADIUS in the debug mode I never see any activity in the debug outputs. Therefore I am to assume that the wireless client bridging through the ap is never even trying to talk to the FreeRADIUS server. I can however change the encryption methods in the AP for this SSID and it will authenticate. I have to configure the encryption mode ciphers for the SSID VLAN in the radio configuration and then set up for key-management authentication wpa version 2 in the SSID configuration and the wireless client authenticates through the FreeRADIUS server. When I set it up this way though I am requested to enter username/password combination and accept the certificate ( I would assume this is the certificate from the server to be validated) before the connection process completes. What concerns me is that I see two warnings come up in the FreeRADIUS debug logs: (33) WARNING: Outer and inner identities are the same. User privacy is compromised. (33) pap: WARNING: Auth-Type already set. Not setting to PAP Via this method I see that the Outer identity has the username I entered when I connected instead of anonymous. In addition I see that PEAP is being used for the authentication process in the debug logs: (34) eap: Peer sent packet with method EAP PEAP (25) (34) eap: Calling submodule eap_peap to process data (34) eap_peap: Continuing EAP-TLS (34) eap_peap: [eaptls verify] = ok (34) eap_peap: Done initial handshake (34) eap_peap: [eaptls process] = ok (34) eap_peap: Session established. Decoding tunneled attributes (34) eap_peap: PEAP state send tlv success (34) eap_peap: Received EAP-TLV response (34) eap_peap: Success I believe a lot of this information is superfluous for the purposes of this post, but my main question would be why can't I install the certificates from the /certs/ directory? Thanks for any and all help. Rob Rutledge, CCNP CCDP
On Mar 8, 2017, at 12:19 PM, Rob Rutledge <robertrutledge2005@charter.net> wrote:
I am however having problems authenticating wireless clients on a Cisco 1142N autonomous access-point. I followed the instructions I found advising to set up open WEP authentication with EAP. The problem I am having is installing the certificates in the /etc/raddb/certs/ directory. The instructions I found advised to install the ca.der and client.p12 certificates on my wireless workstation, Windows 10 Pro. When I try to install the ca certificate I get the following window pops up:
The mailing list strips attachments. Only text is allowed.
The timer just keeps timing out and repeats itself until I disconnect the SSID and running FreeRADIUS in the debug mode I never see any activity in the debug outputs. Therefore I am to assume that the wireless client bridging through the ap is never even trying to talk to the FreeRADIUS server.
That looks like what's happening.
I can however change the encryption methods in the AP for this SSID and it will authenticate. I have to configure the encryption mode ciphers for the SSID VLAN in the radio configuration and then set up for key-management authentication wpa version 2 in the SSID configuration and the wireless client authenticates through the FreeRADIUS server. When I set it up this way though I am requested to enter username/password combination and accept the certificate ( I would assume this is the certificate from the server to be validated) before the connection process completes. What concerns me is that I see two warnings come up in the FreeRADIUS debug logs:
(33) WARNING: Outer and inner identities are the same. User privacy is compromised.
(33) pap: WARNING: Auth-Type already set. Not setting to PAP
Via this method I see that the Outer identity has the username I entered when I connected instead of anonymous.
That's set in the Windows 802.1X configuration. See the Windows UI for more details.
In addition I see that PEAP is being used for the authentication process in the debug logs:
(34) eap: Peer sent packet with method EAP PEAP (25)
(34) eap: Calling submodule eap_peap to process data
(34) eap_peap: Continuing EAP-TLS
(34) eap_peap: [eaptls verify] = ok
(34) eap_peap: Done initial handshake
(34) eap_peap: [eaptls process] = ok
(34) eap_peap: Session established. Decoding tunneled attributes
(34) eap_peap: PEAP state send tlv success
(34) eap_peap: Received EAP-TLV response
(34) eap_peap: Success
I believe a lot of this information is superfluous for the purposes of this post, but my main question would be why can't I install the certificates from the /certs/ directory?
I have no idea. I've tried to install certs on Windows repeatedly. Magically it works... magically it doesn't work. It's entirely opaque. Alan DeKok.
participants (2)
-
Alan DeKok -
Rob Rutledge