Problems with CA using PEAP/TTLS
Dear list. I'm using freeradius 2.2.5 on debian for authentication of wireless access. The problem is that authenticating clients (I'm using PEAP/TTLS) works only if the CA-certificate is ignored by the client side. When trying to authenticate the clients using the CA in Network-Manager the authentication fails. The server certificate of freeradius is correctly signed and the public CA is selected at the clients (linux using Network-Manager). Is there a possibility to catch the server certificate on the client side after the transfer to the client. And then checking this server certificate signature against the locally installed CA-certificate by hand? For example using tcpdump? Many thanks in advance Jens
On Oct 11, 2016, at 4:28 PM, dump@gmx.info wrote:
I'm using freeradius 2.2.5 on debian for authentication of wireless access.
You should upgrade to 3.0.12. It may help.
The problem is that authenticating clients (I'm using PEAP/TTLS) works only if the CA-certificate is ignored by the client side.
Which means that the client doesn't have the CA installed.
When trying to authenticate the clients using the CA in Network-Manager the authentication fails. The server certificate of freeradius is correctly signed and the public CA is selected at the clients (linux using Network-Manager).
Ask the Network-Manager people why their software is broken. :(
Is there a possibility to catch the server certificate on the client side after the transfer to the client. And then checking this server certificate signature against the locally installed CA-certificate by hand? For example using tcpdump?
Use eapol_test. http://deployingradius.com/scripts/eapol_test/ Alan DeKok.
Hi,
I'm using freeradius 2.2.5 on debian for authentication of wireless
with that old version you will start to get more problems. what is the CA - selfsigned? it may be that the server cert or the CA does not meet client requirements (eg not SHA-2 but MD5, doesnt have required extensions or CA assertions etc. you can grab a copy of whats being thrown your way from the RADIUS server by using eg eapol_test (part of wpa supplicant package - comes with wpa_supplicant package in decent distros....build it yourself from source on lesser distros) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
dump@gmx.info