Certificate problems? Freeradius 2.1.10 on Debian squeeze
James J J Hooper
jjj.hooper at bristol.ac.uk
Sat Aug 6 00:23:34 CEST 2011
On 05/08/2011 17:00, John Dunning wrote:
> Greetings all,
>
> We've been running freeradius 1.x on Debian Lenny for some time with great success authenticating against Novell eDirectory/LDAP.
>
> Our Linux guru has moved on to exciting new opportunities and while the rest of us are decent at linux we're certainly missing his input here :)
>
> We're trying to update the system to Squeeze and move from eDirectory to Active Directory authentication to stay more easily within the debian package scope.
>
> I think I largely have the system setup to do EAP-TLS/PEAP/MS-CHAPv2 with Windows 7 supplicant but for some reason I can't seem to get the EAP-TLS tunnel to fire up.
>
> I've tried going through http://wiki.freeradius.org/Certificate_Compatibility with the delivered certs (which are evidently supposed to be compatible) but I seem to be missing something.
>
> I've got NTLM_AUTH working correctly (once I actually get that far), so I'm hoping that if I can get this cert issue figured out I'll be good to go.
>
> Using a Cisco AIR1220 AP and have tried both Windows 7 and android supplicants and get the same problem (see -X log below).
>
> Thanks in advance!!
>
> JD
> certificate_file = "/etc/freeradius/certs/server.pem"
(1) Do:
openssl x509 -in /etc/freeradius/certs/server.pem -noout -text
Check that the output contains this:
X509v3 Extended Key Usage:
TLS Web Server Authentication
...If it doesn't see the "OIDs" comments in the FR wiki page.
(2) Check that Windows 7 is correctly configured to trust your
certificates. Refer to 15-19 on:
http://www.wireless.bris.ac.uk/eduroam/instructions/go-vista/#wifi
[obviously you need to trust your root CA, not mine though]
For testing you can un-tick "Validate server certificate", but you should
never do this with real credentials, or with real users.
(3) Android probably isn't a good OS to use for AAA testing, because
depending on which version you have there are various bugs with it's
enterprise wi-fi support.
Regards,
James
More information about the Freeradius-Users
mailing list