Solutions: Various certificate issues with MACOSX (TLS Errors)

Tue Jun 24 17:32:39 CEST 2008

Hi,

I'm posting this to the list just for future reference. Though this may not
seem a freeRadius issue, it still had a lot to do with it. Probably people
with the same issues will look in this list for answers.

I've been struggling with various freeRadius certificate issues the past
year. Mainly Apple's OSX had problems with connecting. The problem got more
complicated because different OSX versions reacted differently and had to be
configured differently.
The errors that kept popping up in the freeRadius logs (and because of which
authentication failed) where:

Tue Jun 24 16:18:26 2008 : Error: TLS Alert read:warning:close notify
Tue Jun 24 16:18:26 2008 : Auth: Login incorrect: [UserX/<via Auth-Type =
EAP>] (from client NAS-name port 62 cli 001d4ffdebe8)

The error on the OSX client was something like "802.1x Authentication has
failed" or it gives a "TLS error".

I recently found how to solve the problem on all Apple OSX clients. Looking
backward it seems obvious, but I struggled with it for a long time
nevertheless.

Configuration:
* Server: freeRadius 2.0.5 using PEAP without client certificates. !Server
certificate is self-signed!
* AP: Linksys WAP54G, WPA-Enterprise, AES
* Client: Apple MacOSX (tested with 10.3x 10.4x and 10.5x)

Problem:
* The Airport was configured as follows:
- Created new 802.1x connection and set Configuration: "Disable 802.1x
login", set username, password and network and set ONLY PEAP (for what I use
on my WLAN).
- Now connect to the network with WPA-Enterprise, username, password and
802.1x authentication.

What will happen is that either you get a popup window regarding the
self-signed servercertificate and you should push 'Continue' or
authentication will fail. When you get the popup window, push 'Continue' and
the Airport will connect correctly. Make sure you DON'T set the trust
settings regarding the certificate to "Always trust" because then
authentication will fail in the future. I don't know why this is the case,
it just is... It means your users will always have to push the 'Continue'
button when connecting.

When authentication fails without a certificate popup, you probably already
have a certificate installed (OSX did that itself) that refers to your
freeRadius server. Could be the test certificate when freeRadius was
launched for the first time.
To resolve the problem on the OSX client go to "Programms - Utilities -
Keychain access" and look for certificates regarding your radius-server. Now
delete them or, if the certificates are the right ones, set the 'trust
settings' to "Ask (every time)".

The main problem here is how OSX deals with self-signed certificates. It
somehow needs to ask the user for accepting the certificate every time it
connects to freeRadius. When OSX is set to always trust it, it fails to send
the right credentials or authentication information.
I will try it with a certificate from a Certified CA. OSX should accept that
one immediately. More on that later.

If anybody has more/other information on this, I'm happy to read that! :)

Yours,
Jelle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080624/b87c5da7/attachment.html>