FYI, I gave up on eap-tls for OS X and ios.
I am currently setup with a cisco 1282 access point running wpa2 supported by free radius under suse linux [tumble weed]. I am supporting students on window 7, [I believe I have a few win-10s] and osx, will be testing ios later this week. The server is the CA, and for testing purposes I had setup a self signed cert, and was testing the client cert. I could not get it to work, went through a number of different efforts with multiple tries / multiple profiles on osx sierra, and el capitan Peap will have to do the job. that’s what is currently running. Sincerely, tob
On Wed, Mar 29, 2017 at 07:38:03PM +0000, John Tobin wrote:
I am currently setup with a cisco 1282 access point running wpa2 supported by free radius under suse linux [tumble weed]. I am supporting students on window 7, [I believe I have a few win-10s] and osx, will be testing ios later this week. The server is the CA, and for testing purposes I had setup a self signed cert, and was testing the client cert.
FWIW, we've got FR 3.0.11 on Debian 8 servers with OpenSSL 1.0.1. There are Macs and Windows 7 authenticating against it, Windows with PEAP/EAP-TLS and Macs with plain EAP-TLS. Cisco WLCs/APs, WPA2/AES. Certs are all from a local Microsoft CA. No "self-signed" certs apart from the CA root of course. Both server certs and client certs generated from the CA. Can't think why you'd use a self-signed cert for the server cert, unless that wasn't what you meant. Can't think what might not be working in your setup. But it does work. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Interesting. I have a self signed cert because [ I believe ] that is the test cert you get when you install radius. /etc/raddb/cert has a make, you run the make for test certs. I have doc that suggests os x and ios will no longer allow self signed certs, and it was suggested that I should have a self signed cert for free Radiusd eap-tls. The os x machines have no mods for a ³homebrewed² openssl? I am testing against sierra and elcapitan, and I was also told I would have to get special versions of openssl for os x at those levels because of problems in opensslŠ You have to implement homebrew openssl installŠ.. Will be interested in your feedback. Any comment? On 3/29/17, 16:14, "Freeradius-Users on behalf of Matthew Newton" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of mcn4@leicester.ac.uk> wrote:
On Wed, Mar 29, 2017 at 07:38:03PM +0000, John Tobin wrote:
I am currently setup with a cisco 1282 access point running wpa2 supported by free radius under suse linux [tumble weed]. I am supporting students on window 7, [I believe I have a few win-10s] and osx, will be testing ios later this week. The server is the CA, and for testing purposes I had setup a self signed cert, and was testing the client cert.
FWIW, we've got FR 3.0.11 on Debian 8 servers with OpenSSL 1.0.1. There are Macs and Windows 7 authenticating against it, Windows with PEAP/EAP-TLS and Macs with plain EAP-TLS. Cisco WLCs/APs, WPA2/AES.
Certs are all from a local Microsoft CA. No "self-signed" certs apart from the CA root of course. Both server certs and client certs generated from the CA. Can't think why you'd use a self-signed cert for the server cert, unless that wasn't what you meant.
Can't think what might not be working in your setup. But it does work.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Mar 29, 2017 at 11:24:37PM +0000, John Tobin wrote:
I have a self signed cert because [ I believe ] that is the test cert you get when you install radius. /etc/raddb/cert has a make, you run the make for test certs.
You get a self-signed root CA (ca.pem), a server cert signed by that CA (server.pem) and a client cert signed by the CA (client.pem). So the server should have the CA cert and the server cert configured, and the client should have the CA cert installed and the client cert for auth. You don't use the self-signed CA cert as the server cert. This is basic CA stuff.
The os x machines have no mods for a ³homebrewed² openssl? I am testing against sierra and elcapitan, and I was also told I would have to get special versions of openssl for os x at those levels because of problems in opensslŠ You have to implement homebrew openssl installŠ..
No idea, I'm not a Mac person. Homebrewed sounds like beer. The only issues I'm aware of with openssl and macs would be to disable tls1.2 as I think has already been mentioned, but I think Apple disabled that anyway for the time being because it broke too much stuff. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Mar 29, 2017, at 7:24 PM, John Tobin <jtobin@po-box.esu.edu> wrote:.
I have a self signed cert because [ I believe ] that is the test cert you get when you install radius. /etc/raddb/cert has a make, you run the make for test certs.
Yes... we're well aware of that.
I have doc that suggests os x and ios will no longer allow self signed certs,
I use a self-signed CA which issues a server cert every day with OSX and iOS. I don't know what magic doc you're reading (and you don't say what it is).
and it was suggested that I should have a self signed cert for free Radiusd eap-tls.
Who suggested it? The test certificates (and the process used to create them) work on every OS. That's why they exist... so people should use them.
The os x machines have no mods for a ³homebrewed² openssl?
I'm not sure what you mean by that. FreeRADIUS will work with the OpenSSL that's distributed with OSX. It will complain about the old version, but it will work.
I am testing against sierra and elcapitan, and I was also told
By who? And why do you believe some random document, or some random person instead of the experts on this list?
I would have to get special versions of openssl for os x at those levels because of problems in opensslŠ You have to implement homebrew openssl installŠ..
I would suggest using a home-brew version of OpenSSL. It's more up to date. But it's not *required*. I think I good part of the problem here is that you're reading random documentation. I don't know where you're getting that information from, but most of it is wrong. FreeRADIUS works. The scripts included with it work. The certificates it builds work. The documentation in FreeRADIUS is correct. Why would you go reading random *wrong* documentation, and ignore the *working* and *correct* documentation in front of you? i.e. if you're having problems with some third-party documentation, go ask *them* why their documentation doesn't work. Alan DeKok.
This is kind of unnecessary, but: I would not write to this list with any problems, if I didn’t assume there were some people Who were an authority on this list. I work with a number of colleagues who are also well meaning and knowledgeable on some of these topics. They forwarded to me the URL: https://developer.apple.com/videos/play/wwdc2016/706/ I was only able to get the video to run on my mac under safari, Firefox and Crome had problems, so I would recommend safari to view it. It was put out last year as a security update [2016]: about 10 minutes in it goes over Apples new philosophy about certificates. With my Colleagues expertise [this is a bit above my head] I am lead to believe self signed certs [that aren’t logged] will not work. If there is a work around for this problem or this should not affect free radius: Sure, tell me I am [once again] incorrect. I am a part time student who is part of the helpdesk, and the default sys admin for a small linux lab I have built from spare parts and used computers for the computer science group at East Stroudsburg University. I have struggled to get free radius up and running for the lab, and frankly don’t have time to argue with experts, I am trying to get this lab running. I struggled with eap-tls on apple products and gave up, that doesn’t mean it doesn’t work: I think that falls more along the lines of it wasn’t simple and took more time than I had. If that makes me less than competent, that’s fair. I changed the EAP profile for os x to support peap, which works. I am not using tls currently, that may change. Thanks for the opportunity to know I am not the expert you are. In future I may need some of your expertise, so I don’t need to make enemies. Humble pie has a special flavor all it’s own. Love you all. [you can smile now]. tob On 3/30/17, 08:33, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On Mar 29, 2017, at 7:24 PM, John Tobin <jtobin@po-box.esu.edu> wrote:.
I have a self signed cert because [ I believe ] that is the test cert you get when you install radius. /etc/raddb/cert has a make, you run the make for test certs.
Yes... we're well aware of that.
I have doc that suggests os x and ios will no longer allow self signed certs,
I use a self-signed CA which issues a server cert every day with OSX and iOS. I don't know what magic doc you're reading (and you don't say what it is).
and it was suggested that I should have a self signed cert for free Radiusd eap-tls.
Who suggested it? The test certificates (and the process used to create them) work on every OS. That's why they exist... so people should use them.
The os x machines have no mods for a ³homebrewed² openssl?
I'm not sure what you mean by that.
FreeRADIUS will work with the OpenSSL that's distributed with OSX. It will complain about the old version, but it will work.
I am testing against sierra and elcapitan, and I was also told
By who? And why do you believe some random document, or some random person instead of the experts on this list?
I would have to get special versions of openssl for os x at those levels because of problems in opensslŠ You have to implement homebrew openssl installŠ..
I would suggest using a home-brew version of OpenSSL. It's more up to date. But it's not *required*.
I think I good part of the problem here is that you're reading random documentation. I don't know where you're getting that information from, but most of it is wrong.
FreeRADIUS works. The scripts included with it work. The certificates it builds work. The documentation in FreeRADIUS is correct.
Why would you go reading random *wrong* documentation, and ignore the *working* and *correct* documentation in front of you?
i.e. if you're having problems with some third-party documentation, go ask *them* why their documentation doesn't work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 2, 2017, at 3:45 PM, John Tobin <jtobin@po-box.esu.edu> wrote:
This is kind of unnecessary, but:
I would not write to this list with any problems, if I didn’t assume there were some people Who were an authority on this list.
Then why are you arguing with the answers you get on this list?
I work with a number of colleagues who are also well meaning and knowledgeable on some of these topics.
They forwarded to me the URL: https://developer.apple.com/videos/play/wwdc2016/706/
I was only able to get the video to run on my mac under safari, Firefox and Crome had problems, so I would recommend safari to view it. It was put out last year as a security update [2016]: about 10 minutes in it goes over Apples new philosophy about certificates. With my Colleagues expertise [this is a bit above my head] I am lead to believe self signed certs [that aren’t logged] will not work. If there is a work around for this problem or this should not affect free radius: Sure, tell me I am [once again] incorrect.
What I said was correct. I use a Mac to develop FreeRADIUS. Every day I I log into a WiFi network secured with EAP-TTLS, and certificates created using the methods in the FreeRADIUS source. ... as I said before.
I am a part time student who is part of the helpdesk, and the default sys admin for a small linux lab I have built from spare parts and used computers for the computer science group at East Stroudsburg University.
Which means you should pay close attention to the advice on this list, instead of ignoring it.
I have struggled to get free radius up and running for the lab, and frankly don’t have time to argue with experts,
Then why are you still arguing? Install FreeRADIUS. Use the certificates it creates. It *will* work. Or at least... it's worked for everyone else. Maybe your network is magic.
I am trying to get this lab running. I struggled with eap-tls on apple products and gave up, that doesn’t mean it doesn’t work: I think that falls more along the lines of it wasn’t simple and took more time than I had. If that makes me less than competent, that’s fair.
<shrug> Install FreeRADIUS, create the CA / server / client certs. The hardest part of the process is getting an Apple mobileconfig file.
I changed the EAP profile for os x to support peap, which works.
Then create a client cert using the same CA, and EAP-TLS will work.
I am not using tls currently, that may change.
Thanks for the opportunity to know I am not the expert you are. In future I may need some of your expertise, so I don’t need to make enemies.
Humble pie has a special flavor all it’s own. Love you all. [you can smile now].
I have no idea why people feel the need to explain how terrible FreeRADIUS is, when at the same time they're ignoring the advice we give. Alan DeKok.
participants (3)
-
Alan DeKok -
John Tobin -
Matthew Newton