Freeradius2 and OSX clients no TLS

Gary Gatten Ggatten at waddell.com
Sat Mar 5 18:10:37 CET 2011


FR just does what its told. I think the settings need to be changed on your wireless gear.

----- Original Message -----
From: Guy [mailto:guy at britewhite.net]
Sent: Saturday, March 05, 2011 10:46 AM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Freeradius2 and OSX clients no TLS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working.  my iPhone/iPad are able to authenticate and connect via the base station.  However my Mac (OSX 10.6 Snow leopard) Laptops are having issues.

I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients.

When the laptop attempts to join the network I get a nice login window, with username/password. This is fine.  However without playing with the network settings (802.1x settings).  I'm not able to join the network because I do not have a client Cert:

Sat Mar  5 16:21:28 2011 : Error: --> verify error:num=19:self signed certificate in certificate chain 
Sat Mar  5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA 
Sat Mar  5 16:21:28 2011 : Error:     TLS_accept:error in SSLv3 read client certificate B 
Sat Mar  5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sat Mar  5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Sat Mar  5 16:21:28 2011 : Auth: Login incorrect: [guy/<via Auth-Type = EAP>] (from client extreme port 0 cli 00-19-E3-E1-BA-C5)


However if I do change the 802.1x settings on the mac to not try and to TLS then I'm able to connect just fine.  either by PEAP, or TTLS..

So finally my question... How can I reconfigure Radius to not try and offer TLS or if it does offer TLS to not die if a cert is not presented??

I have tried some suggestions such as commenting out the CA in the eap.conf file, but still I fail to pass the TLS.

Thanks

- ---Guy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT
zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L
=JyX7
-----END PGP SIGNATURE-----

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>





More information about the Freeradius-Users mailing list