Re: [help] Mikrotik WDS + WPA2-EAP TLS + FreeRadius = failure
Why are you trying to change the configuration on the server?
You were already told where the problem was. It's not the server.
If you're not going to read the answers on this list, there's no reason to post questions.
Sorry , i didn't understood you. Where i said the answer? Why it's not server problem. If it can't read normal user info means that something wrong in its config and i didn't find any problem (coz i'm not guru at all). I know how use and search such lists and forums. but nothing helped me to solve the problem. Already three i'm tring to male this EAP-TLS to work but nothing works. maybe someone can structurize my knowledge or give me some basic hints hot build this EAP-TLS server-client structure ? I don't know. what to do. I don't know why but i'm sure problem is in server configuration. I'm just asking for help.
Denis Iskandarov wrote:
Sorry , i didn't understood you. Where i said the answer? Why it's not server problem. If it can't read normal user info means that something wrong in its config and i didn't find any problem (coz i'm not guru at all).
I've already responded to your messages with the answer. Go read those responses.
I know how use and search such lists and forums. but nothing helped me to solve the problem. Already three i'm tring to male this EAP-TLS to work but nothing works.
My earlier message explained why it doesn't work.
maybe someone can structurize my knowledge or give me some basic hints hot build this EAP-TLS server-client structure ?
I'm trying. You are ignoring my attempts to help.
I don't know. what to do. I don't know why but i'm sure problem is in server configuration.
No, it's not.
I'm just asking for help.
Then accept the help you're given. Ignoring the help is not appropriate. Alan DeKok.
I really appreciate your help but i can't understand some things. okey, let me ask some questions based on your very first answer. So suplicant sending some wrong packet. or something wrong withs it certificate? AP configured to use EAP-TLS and "passthrough" all eap requests to my freeradius. Client has it's client certificate. i've generated 3 certificates with OpenSSL: cacert.pem server-keycert.pem and client-keycert.pem (with xpextensions, but this is optional for xp clients). ca and server certs seems to be working coz TTLS is working fine.
The supplicant is broken. It's sending an EAP-Identity field with no data:
where "EAP-Identity field" is generated? what have i to check ? Other question, should this lines be uncommented: check_cert_issuer = "/C=ZZ/ST=Yyyyy/L=yyyyy/O=Xxx" or check_cert_cn = %{User-Name} or those are optional and by default some other fields are used for authentication? also. what should i insert in user.conf (in daloRADIUS db in my case)... which user or password should be used. Or TLS is not used with database and i can't track WiFi link users with EAP-TLS through db and daloRADIUS?
Denis Iskandarov wrote:
I really appreciate your help but i can't understand some things. okey, let me ask some questions based on your very first answer. So suplicant sending some wrong packet. or something wrong withs it certificate?
Possibly.
AP configured to use EAP-TLS and "passthrough" all eap requests to my freeradius. Client has it's client certificate.
You've said that a lot. There's no need to repeat it.
i've generated 3 certificates with OpenSSL: cacert.pem server-keycert.pem and client-keycert.pem (with xpextensions, but this is optional for xp clients). ca and server certs seems to be working coz TTLS is working fine.
Did you use the scripts in raddb/certs to create the certificates? If no, why not? Those scripts work, and create certificates that work.
The supplicant is broken. It's sending an EAP-Identity field with no data:
where "EAP-Identity field" is generated? what have i to check ?
It's generated by the supplicant. I said this already.
Other question, should this lines be uncommented: check_cert_issuer = "/C=ZZ/ST=Yyyyy/L=yyyyy/O=Xxx" or check_cert_cn = %{User-Name}
or those are optional and by default some other fields are used for authentication?
This is all documented in the comments in eap.conf, and the various EAP-TLS "howtos".
also. what should i insert in user.conf (in daloRADIUS db in my case)... which user or password should be used. Or TLS is not used with database and i can't track WiFi link users with EAP-TLS through db and daloRADIUS?
TLS doesn't use passwords. This is how TLS works, and is documented in many places. i.e. FreeRADIUS includes documentation on RADIUS. It doesn't describe how EAP-TLS works, how how certificates are created. That is *other* software, written by *other* people. Alan DeKok.
participants (2)
-
Alan DeKok -
Denis Iskandarov