unknown CA when trying to authenticate
Version 3.0.16, running on Ubuntu 18.04. While running freeradius -X and trying to connect a user (Ubiquiti controller), I see "eap_peap: ERROR: TLS Alert read:fatal:unknown CA". /etc/freeradius/3.0/mods-enabled/eap has its tls-config tls-common section like private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem certificate_file = /etc/freeradius/3.0/certs/letsencrypt/cert.pem ca_file = /etc/ssl/certs/ca-certificates.crt My CA was copied to /usr/local/share/ca-certificates/ and ran dpkg-reconfigure ca-certificates. I then checked ca-certificates.crt and confirmed my CA was appended to the bottom.
On Feb 21, 2021, at 10:57 PM, Tyler Montney <montneytyler@gmail.com> wrote:
Version 3.0.16, running on Ubuntu 18.04.
While running freeradius -X and trying to connect a user (Ubiquiti controller), I see "eap_peap: ERROR: TLS Alert read:fatal:unknown CA".
What is the user system running? How does it authenticate?
/etc/freeradius/3.0/mods-enabled/eap has its tls-config tls-common section like
private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem certificate_file = /etc/freeradius/3.0/certs/letsencrypt/cert.pem ca_file = /etc/ssl/certs/ca-certificates.crt
That's good.
My CA was copied to /usr/local/share/ca-certificates/ and ran dpkg-reconfigure ca-certificates. I then checked ca-certificates.crt and confirmed my CA was appended to the bottom.
That's not. You haven't described what you're using to authenticate. Where does it get the certificates from? The certificate store you edited is used for web authentication, not WiFi. You need to read the documentation for your system to see how to get WiFi authentication working. This isn't a FreeRADIUS issue. Alan DeKok.
" What is the user system running? How does it authenticate?" Same OS as FreeRadius, running the Unifi Controller. The controller authenticates wireless users through RADIUS. RADIUS uses LDAP as its user database. "Where does it get the certificates from?" An internal "LetsEncrypt", step-ca. "The certificate store you edited is used for web authentication, not WiFi." Yes, but the EAP module is pointing to that store. I don't see how that's related to web authentication. If I set the LDAP module's "require_cert" to 'demand' (rather than 'allow'), freeradius will refuse to start with a similar error. It fails to connect over LDAPS. On Mon, Feb 22, 2021 at 6:06 AM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 21, 2021, at 10:57 PM, Tyler Montney <montneytyler@gmail.com> wrote:
Version 3.0.16, running on Ubuntu 18.04.
While running freeradius -X and trying to connect a user (Ubiquiti controller), I see "eap_peap: ERROR: TLS Alert read:fatal:unknown CA".
What is the user system running? How does it authenticate?
/etc/freeradius/3.0/mods-enabled/eap has its tls-config tls-common section like
private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem certificate_file = /etc/freeradius/3.0/certs/letsencrypt/cert.pem ca_file = /etc/ssl/certs/ca-certificates.crt
That's good.
My CA was copied to /usr/local/share/ca-certificates/ and ran dpkg-reconfigure ca-certificates. I then checked ca-certificates.crt and confirmed my CA was appended to the bottom.
That's not. You haven't described what you're using to authenticate. Where does it get the certificates from?
The certificate store you edited is used for web authentication, not WiFi.
You need to read the documentation for your system to see how to get WiFi authentication working. This isn't a FreeRADIUS issue.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 22, 2021, at 10:46 AM, Tyler Montney <montneytyler@gmail.com> wrote:
" What is the user system running? How does it authenticate?"
Same OS as FreeRadius, running the Unifi Controller. The controller authenticates wireless users through RADIUS. RADIUS uses LDAP as its user database.
That really isn't answering my question. Do the users have access to the shell on the Unifi controller? Or are the users trying to gain network access via WiFi? If it's the second one, then again... what is the user system running? How did you configure it?
"Where does it get the certificates from?"
An internal "LetsEncrypt", step-ca.
That is also not answering my question. You configured the end-user system to use WiFi. As part of that process, you either did (or didn't) configure names, EAP type, certificates, etc. So... did you do that? If so, what did you do?
"The certificate store you edited is used for web authentication, not WiFi."
Yes, but the EAP module is pointing to that store. I don't see how that's related to web authentication.
In most systems, the default certificate stores are different for Web and for EAP. You do NOT want to use the same certificate store for both.
If I set the LDAP module's "require_cert" to 'demand' (rather than 'allow'), freeradius will refuse to start with a similar error. It fails to connect over LDAPS.
At this point, it's not at all clear what you're doing, or why. You aren't configuring FreeRADIUS using the normal process of putting the certs into raddb/certs. You aren't following any of the available "how to" guides for configuring FreeRADIUS, or EAP, or WiFi. There is existing documentation which tells you how to configure WiFi. Please follow it. And please also understand that *end user* systems are different than the Unifi controller, where you configure FreeRADIUS. Those end-user systems also need to be configured correctly for EAP / WiFi. It looks very much like you haven't done that. Alan DeKok.
"That really isn't answering my question. Do the users have access to the shell on the Unifi controller? Or are the users trying to gain network access via WiFi? If it's the second one, then again... what is the user system running? How did you configure it?" For instance, a Windows client trying to connect to a WiFi network. It tries to connect, is prompted for a username and password, then says "Can't connect to this network". (Simultaneously, I have "freeradius -X" running, where I see the CA error.) "You configured the end-user system to use WiFi." The only thing I have done on the end user system is import the root CA. "There is existing documentation which tells you how to configure WiFi." Please verify which documentation you're referring to, so that I know we're on the same page. On Mon, Feb 22, 2021 at 10:05 AM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 22, 2021, at 10:46 AM, Tyler Montney <montneytyler@gmail.com> wrote:
" What is the user system running? How does it authenticate?"
Same OS as FreeRadius, running the Unifi Controller. The controller authenticates wireless users through RADIUS. RADIUS uses LDAP as its user database.
That really isn't answering my question.
Do the users have access to the shell on the Unifi controller? Or are the users trying to gain network access via WiFi?
If it's the second one, then again... what is the user system running? How did you configure it?
"Where does it get the certificates from?"
An internal "LetsEncrypt", step-ca.
That is also not answering my question. You configured the end-user system to use WiFi. As part of that process, you either did (or didn't) configure names, EAP type, certificates, etc.
So... did you do that? If so, what did you do?
"The certificate store you edited is used for web authentication, not WiFi."
Yes, but the EAP module is pointing to that store. I don't see how that's related to web authentication.
In most systems, the default certificate stores are different for Web and for EAP. You do NOT want to use the same certificate store for both.
If I set the LDAP module's "require_cert" to 'demand' (rather than 'allow'), freeradius will refuse to start with a similar error. It fails to connect over LDAPS.
At this point, it's not at all clear what you're doing, or why.
You aren't configuring FreeRADIUS using the normal process of putting the certs into raddb/certs. You aren't following any of the available "how to" guides for configuring FreeRADIUS, or EAP, or WiFi.
There is existing documentation which tells you how to configure WiFi. Please follow it.
And please also understand that *end user* systems are different than the Unifi controller, where you configure FreeRADIUS. Those end-user systems also need to be configured correctly for EAP / WiFi. It looks very much like you haven't done that.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I have the same problem, with different devices no connection and all
with "unknown CA error". I googled a little bit and finde the
"eapol_test", but the freeradius doku is outdatetd.
In Short, mybe it might help.
----
wget http://w1.fi/releases/wpa_supplicant-2.9.tar.gz
make eapol_test
cat ttls-eap-mschapv2.conf
#
# eapol_test -c ttls-eap-mschapv2.conf -s testing123
#
network={
ssid="example"
key_mgmt=WPA-EAP
eap=TTLS
identity="UIDr"
anonymous_identity="anonymous"
password="PASSWORD"
phase2="autheap=MSCHAPV2"
#
# Uncomment the following to perform server certificate
validation.
ca_cert="/etc/freeradius/3.0/certs/ca-gen2.pem"
}
Run it:
./eapol_test -c ttls-eap-mschapv2.conf -s testing123
Eaptool-log
---cut
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
//Freeradius-Log
Login OK: [UID] (from client localhost port 0 cli 02-00-00-00-00-01 via
TLS tunnel)
I have no idea what the problem might be.
The ca-cert chain contains the "ROOT-CA" -> "Intermediate-CA" ->
"Local-CA", is this correct? Do I need the complete chain on the device
(Android/Windows)?
Please let me know if you find out anything.
Regards
Carsten
Am 22.02.2021 um 17:22 schrieb Tyler Montney:
> "That really isn't answering my question. Do the users have access to the
> shell on the Unifi controller? Or are the users trying to gain network
> access via WiFi? If it's the second one, then again... what is the user
> system running? How did you configure it?"
>
> For instance, a Windows client trying to connect to a WiFi network. It
> tries to connect, is prompted for a username and password, then says "Can't
> connect to this network". (Simultaneously, I have "freeradius -X" running,
> where I see the CA error.)
>
> "You configured the end-user system to use WiFi."
>
> The only thing I have done on the end user system is import the root CA.
>
> "There is existing documentation which tells you how to configure WiFi."
>
> Please verify which documentation you're referring to, so that I know we're
> on the same page.
>
> On Mon, Feb 22, 2021 at 10:05 AM Alan DeKok <aland@deployingradius.com>
> wrote:
>
>> On Feb 22, 2021, at 10:46 AM, Tyler Montney <montneytyler@gmail.com>
>> wrote:
>>> " What is the user system running? How does it authenticate?"
>>>
>>> Same OS as FreeRadius, running the Unifi Controller. The controller
>>> authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
>>> database.
>> That really isn't answering my question.
>>
>> Do the users have access to the shell on the Unifi controller? Or are
>> the users trying to gain network access via WiFi?
>>
>> If it's the second one, then again... what is the user system running?
>> How did you configure it?
>>
>>> "Where does it get the certificates from?"
>>>
>>> An internal "LetsEncrypt", step-ca.
>> That is also not answering my question. You configured the end-user
>> system to use WiFi. As part of that process, you either did (or didn't)
>> configure names, EAP type, certificates, etc.
>>
>> So... did you do that? If so, what did you do?
>>
>>> "The certificate store you edited is used for web authentication, not
>> WiFi."
>>> Yes, but the EAP module is pointing to that store. I don't see how that's
>>> related to web authentication.
>> In most systems, the default certificate stores are different for Web
>> and for EAP. You do NOT want to use the same certificate store for both.
>>
>>> If I set the LDAP module's "require_cert" to
>>> 'demand' (rather than 'allow'), freeradius will refuse to start with a
>>> similar error. It fails to connect over LDAPS.
>> At this point, it's not at all clear what you're doing, or why.
>>
>> You aren't configuring FreeRADIUS using the normal process of putting
>> the certs into raddb/certs. You aren't following any of the available "how
>> to" guides for configuring FreeRADIUS, or EAP, or WiFi.
>>
>> There is existing documentation which tells you how to configure WiFi.
>> Please follow it.
>>
>> And please also understand that *end user* systems are different than
>> the Unifi controller, where you configure FreeRADIUS. Those end-user
>> systems also need to be configured correctly for EAP / WiFi. It looks very
>> much like you haven't done that.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 22, 2021, at 11:22 AM, Tyler Montney <montneytyler@gmail.com> wrote:
For instance, a Windows client trying to connect to a WiFi network. It tries to connect, is prompted for a username and password, then says "Can't connect to this network". (Simultaneously, I have "freeradius -X" running, where I see the CA error.)
That is a much better description of the problem. The error is *not* coming from FreeRADIUS. The Windows system is sending FreeRADIUS a TLS layer alert message, which say "I don't understand who you are". The solution is NOT to poke FreeRADIUS. The solution is to fix the Windows system so that it knows about the RADIUS certificates.
"You configured the end-user system to use WiFi."
The only thing I have done on the end user system is import the root CA.
Where? How? As I said before, the CA stores are different for Web and EAP. Are you sure that you that you're installing the certificate in the right place in Windows?
"There is existing documentation which tells you how to configure WiFi."
Please verify which documentation you're referring to, so that I know we're on the same page.
This documentation is specific to Windows, and changes over time. I'm sure Microsoft has documentation for their product... My web site has had detailed documentation on *generic* EAP testing for ~15+ years: http://deployingradius.com It's pointed to from the FreeRADIUS documentation, wiki, etc. That documentation walks you through the steps necessary to configure EAP, including testing Or, there's "google". https://www.google.com/search?q=How+do+I+install+a+WiFi+certificate+in+Windo... Alan DeKok.
I guess there was a bit more configuration to setting up radius on Windows than I thought. Thanks to Windows 10, a lot of the old dialogs are hidden/harder to get to. When connecting, I am now seeing "mschap: WARNING: No ClearText-Password configured. Cannot create NT-Password/LM-Password." On Mon, Feb 22, 2021 at 11:13 AM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 22, 2021, at 11:22 AM, Tyler Montney <montneytyler@gmail.com> wrote:
For instance, a Windows client trying to connect to a WiFi network. It tries to connect, is prompted for a username and password, then says "Can't connect to this network". (Simultaneously, I have "freeradius -X" running, where I see the CA error.)
That is a much better description of the problem.
The error is *not* coming from FreeRADIUS. The Windows system is sending FreeRADIUS a TLS layer alert message, which say "I don't understand who you are".
The solution is NOT to poke FreeRADIUS. The solution is to fix the Windows system so that it knows about the RADIUS certificates.
"You configured the end-user system to use WiFi."
The only thing I have done on the end user system is import the root CA.
Where? How?
As I said before, the CA stores are different for Web and EAP. Are you sure that you that you're installing the certificate in the right place in Windows?
"There is existing documentation which tells you how to configure WiFi."
Please verify which documentation you're referring to, so that I know we're on the same page.
This documentation is specific to Windows, and changes over time. I'm sure Microsoft has documentation for their product...
My web site has had detailed documentation on *generic* EAP testing for ~15+ years: http://deployingradius.com
It's pointed to from the FreeRADIUS documentation, wiki, etc. That documentation walks you through the steps necessary to configure EAP, including testing
Or, there's "google".
https://www.google.com/search?q=How+do+I+install+a+WiFi+certificate+in+Windo...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 22, 2021, at 1:34 PM, Tyler Montney <montneytyler@gmail.com> wrote:
I guess there was a bit more configuration to setting up radius on Windows than I thought. Thanks to Windows 10, a lot of the old dialogs are hidden/harder to get to.
That's good.
When connecting, I am now seeing "mschap: WARNING: No ClearText-Password configured. Cannot create NT-Password/LM-Password."
I'm wondering why you're only giving the minimum possible description for everything you do. Where are the users stored? What format is their passwords in? What configuration changes did you make to the server? All of that is relevant. Until you decide to start giving more information, this will be a slow and painful process for everyone. Alan DeKok.
"I'm wondering why you're only giving the minimum possible description for everything you do." I was not aware that I was. "Where are the users stored?" A Samba server (integrated LDAP) running as a domain controller. "What format is their passwords in?" Not sure. "What configuration changes did you make to the server" https://pastebin.com/7kDPmL3p "All of that is relevant. Until you decide to start giving more information, this will be a slow and painful process for everyone" I apologize, I am not intentionally making this difficult. Each time I've provided what I thought was relevant. Anything omitted is because I don't know *what* is relevant, hence why I am here. On Mon, Feb 22, 2021 at 12:55 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 22, 2021, at 1:34 PM, Tyler Montney <montneytyler@gmail.com> wrote:
I guess there was a bit more configuration to setting up radius on Windows than I thought. Thanks to Windows 10, a lot of the old dialogs are hidden/harder to get to.
That's good.
When connecting, I am now seeing "mschap: WARNING: No ClearText-Password configured. Cannot create NT-Password/LM-Password."
I'm wondering why you're only giving the minimum possible description for everything you do.
Where are the users stored? What format is their passwords in? What configuration changes did you make to the server?
All of that is relevant. Until you decide to start giving more information, this will be a slow and painful process for everyone.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 22, 2021, at 3:00 PM, Tyler Montney <montneytyler@gmail.com> wrote:
"I'm wondering why you're only giving the minimum possible description for everything you do."
I was not aware that I was.
Did you give a *full* description of what you wanted to do, as requested in http://wiki.freeradius.org/list-help ? Or was it "I did stuff and it didn't work". We're not mind readers. RADIUS servers can talk to LDAP, Active Directory, Samba, MySQL, Oracle, PostgreSQL, Redis, and the list goes on. Unless you describe what you're doing, we don't know what you're doing.
"Where are the users stored?"
A Samba server (integrated LDAP) running as a domain controller.
"What format is their passwords in?"
Not sure.
"What configuration changes did you make to the server"
I'm not going to read random diffs (or whatever that is). You need to describe what you did using plain English. Right now, you're going "meh, I'm not going to describe things. I'm just going to dump stuff on Alan, and ask him to figure it out". No, it doesn't work that way.
"All of that is relevant. Until you decide to start giving more information, this will be a slow and painful process for everyone"
I apologize, I am not intentionally making this difficult. Each time I've provided what I thought was relevant. Anything omitted is because I don't know *what* is relevant, hence why I am here.
ANYTHING you change is relevant. It's really that simple. Alan DeKok.
"Did you give a *full* description of what you wanted to do, as requested in http://wiki.freeradius.org/list-help" Truncated -X output, and no config initially. I got to the mailing list by landing on https://freeradius.org/support/ from Google, then going to http://lists.freeradius.org/mailman/listinfo/freeradius-users. I saw no mention of this page. Someone should include this link to that page there. "Or was it "I did stuff and it didn't work"." I can't say it was that bad. I guess with the expertise disparity it looks that way. "We're not mind readers." I never said this. My lack of details shouldn't imply that. "I'm not going to read random diffs (or whatever that is). You need to describe what you did using plain English." I tried that, and that didn't work. I've provided an exact output of every command I've done, and now that's not acceptable. The pastebin isn't a diff, it's my rough doc to recreate this if I need to in the future. "Right now, you're going "meh, I'm not going to describe things. I'm just going to dump stuff on Alan, and ask him to figure it out"." This is getting ridiculous. You could have said, "Please refer to X. Once you've done that, we can proceed". Instead, you're focusing on being rude and talking down to me. If someone else here wants to help, I'll take it from them. Perhaps someone else on here is a "mind reader". You're off the hook. On Mon, Feb 22, 2021 at 4:30 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 22, 2021, at 3:00 PM, Tyler Montney <montneytyler@gmail.com> wrote:
"I'm wondering why you're only giving the minimum possible description
for
everything you do."
I was not aware that I was.
Did you give a *full* description of what you wanted to do, as requested in http://wiki.freeradius.org/list-help ?
Or was it "I did stuff and it didn't work".
We're not mind readers. RADIUS servers can talk to LDAP, Active Directory, Samba, MySQL, Oracle, PostgreSQL, Redis, and the list goes on. Unless you describe what you're doing, we don't know what you're doing.
"Where are the users stored?"
A Samba server (integrated LDAP) running as a domain controller.
"What format is their passwords in?"
Not sure.
"What configuration changes did you make to the server"
I'm not going to read random diffs (or whatever that is). You need to describe what you did using plain English.
Right now, you're going "meh, I'm not going to describe things. I'm just going to dump stuff on Alan, and ask him to figure it out".
No, it doesn't work that way.
"All of that is relevant. Until you decide to start giving more information, this will be a slow and painful process for everyone"
I apologize, I am not intentionally making this difficult. Each time I've provided what I thought was relevant. Anything omitted is because I don't know *what* is relevant, hence why I am here.
ANYTHING you change is relevant. It's really that simple.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 22, 2021, at 6:36 PM, Tyler Montney <montneytyler@gmail.com> wrote:
"Did you give a *full* description of what you wanted to do, as requested in http://wiki.freeradius.org/list-help"
Truncated -X output, and no config initially. I got to the mailing list by landing on https://freeradius.org/support/ from Google, then going to http://lists.freeradius.org/mailman/listinfo/freeradius-users. I saw no mention of this page. Someone should include this link to that page there.
When you subscribe to the list, you get an email pointing you to that page. It helps to read it. As for the rest of your message... you can give tons of detail to prove you did nothing wrong. But when you want help, you give almost no information. Most people would see the contradiction here.
If someone else here wants to help, I'll take it from them. Perhaps someone else on here is a "mind reader". You're off the hook.
Stop your personal attacks, or you will be unsubscribed from the list, and permanently banned. This is your only warning. Alan DeKok.
Thank you for your time, I no longer need assistance. Consider this resolved. On Mon, Feb 22, 2021 at 5:55 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 22, 2021, at 6:36 PM, Tyler Montney <montneytyler@gmail.com> wrote:
"Did you give a *full* description of what you wanted to do, as requested in http://wiki.freeradius.org/list-help"
Truncated -X output, and no config initially. I got to the mailing list by landing on https://freeradius.org/support/ from Google, then going to http://lists.freeradius.org/mailman/listinfo/freeradius-users. I saw no mention of this page. Someone should include this link to that page there.
When you subscribe to the list, you get an email pointing you to that page. It helps to read it.
As for the rest of your message... you can give tons of detail to prove you did nothing wrong. But when you want help, you give almost no information. Most people would see the contradiction here.
If someone else here wants to help, I'll take it from them. Perhaps someone else on here is a "mind reader". You're off the hook.
Stop your personal attacks, or you will be unsubscribed from the list, and permanently banned.
This is your only warning.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I got the same problem after a Debian upgrade from 9 to 10 and it was not a client problem! Our CA: Root-CA - Intermediate CA - CA The solution for me //in mods-enabled/eap #ca_file = ${certdir}/ca-gen2.pem <- Dont use this - put your CAs into certificate_file! certificate_file = ${certdir}/radius1w.company.de.pem <-Now: Certificate - CA - Inter-CA - RootCA Restart. Works! Maybe this might help as well: http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/ https://networkradius.com/doc/3.0.10/raddb/tls/tls-config_tls-common.html Cheers Carsten Am 23.02.2021 um 01:01 schrieb Tyler Montney:
Thank you for your time, I no longer need assistance. Consider this resolved.
On Mon, Feb 22, 2021 at 5:55 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 22, 2021, at 6:36 PM, Tyler Montney <montneytyler@gmail.com> wrote: "Did you give a *full* description of what you wanted to do, as requested in http://wiki.freeradius.org/list-help"
Truncated -X output, and no config initially. I got to the mailing list by landing on https://freeradius.org/support/ from Google, then going to http://lists.freeradius.org/mailman/listinfo/freeradius-users. I saw no mention of this page. Someone should include this link to that page there.
When you subscribe to the list, you get an email pointing you to that page. It helps to read it.
As for the rest of your message... you can give tons of detail to prove you did nothing wrong. But when you want help, you give almost no information. Most people would see the contradiction here.
If someone else here wants to help, I'll take it from them. Perhaps someone else on here is a "mind reader". You're off the hook. Stop your personal attacks, or you will be unsubscribed from the list, and permanently banned.
This is your only warning.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 24, 2021, at 3:00 AM, Carsten Schulze <carsten.schulze@leuphana.de> wrote:
I got the same problem after a Debian upgrade from 9 to 10 and it was not a client problem!
Our CA: Root-CA - Intermediate CA - CA
The solution for me
//in mods-enabled/eap #ca_file = ${certdir}/ca-gen2.pem <- Dont use this - put your CAs into certificate_file! certificate_file = ${certdir}/radius1w.company.de.pem <-Now: Certificate - CA - Inter-CA - RootCA
Restart. Works!
OpenSSL sometime changes how they do things internally, which means behavioural changes in TLS. This is unfortunate. We've had to add code to FreeRADIUS to tell OpenSSL "No, don't do what you want, do what we tell you to do". Generally, it's good to put all of the certificates into "certificate_file" as per the docs. But it doesn't always work for everyone.
Maybe this might help as well: http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/
A good chunk of that is copied from my page, which is 10 years older. And a lot isn't relevant. But whatever. Alan DeKok.
I've made the configuration changes outlined How to Install and Configure Freeradius With Active Directory Allow Allow Specific Group of Users to Authenticate in Debian 10 - My Blog - For Fun (stevedong.com) <https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/#install-freeradius> starting at "Grant Permission" and ending at "Configure freeradius-ldap Auth with AD" with testing with radtest. radtest -t mschap <user> <password> localhost 0 testing123 fails ('The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)') but radtest <domain_accout> <password> localhost 0 testing123 succeeds. On Mon, Feb 22, 2021 at 12:55 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 22, 2021, at 1:34 PM, Tyler Montney <montneytyler@gmail.com> wrote:
I guess there was a bit more configuration to setting up radius on Windows than I thought. Thanks to Windows 10, a lot of the old dialogs are hidden/harder to get to.
That's good.
When connecting, I am now seeing "mschap: WARNING: No ClearText-Password configured. Cannot create NT-Password/LM-Password."
I'm wondering why you're only giving the minimum possible description for everything you do.
Where are the users stored? What format is their passwords in? What configuration changes did you make to the server?
All of that is relevant. Until you decide to start giving more information, this will be a slow and painful process for everyone.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 22, 2021, at 5:11 PM, Tyler Montney <montneytyler@gmail.com> wrote:
I've made the configuration changes outlined How to Install and Configure Freeradius With Active Directory Allow Allow Specific Group of Users to Authenticate in Debian 10 - My Blog - For Fun (stevedong.com) <https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/#install-freeradius>
Yeah... FreeRADIUS has a Wiki with AD instructions, and I have my deployingradius.com site with documentation on getting FR and AD to work. But instead of using that, there's some random third-party web site
starting at "Grant Permission" and ending at "Configure freeradius-ldap Auth with AD" with testing with radtest. radtest -t mschap <user> <password> localhost 0 testing123 fails ('The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)') but radtest <domain_accout> <password> localhost 0 testing123 succeeds.
If only there was some kind of debug output you could read to figure out what the server was doing. If only there was a ton of documentation which told you to use that debug output. I guess it's a mystery. You're making this difficult. You're doing everything *other* than what the documentation says. This is just not necessary. Alan DeKok.
participants (3)
-
Alan DeKok -
Carsten Schulze -
Tyler Montney