HP M200 certificate authentication fails

Gordon Cook gcook at ssmic.com
Fri Jul 25 16:04:31 CEST 2014

I apologize if I was not clear.  I am not trying to be difficult.

I had already gone through the website indicated in the response with no luck.

I will try to be a lot clearer.

I have a radius server running freebsd 9 and freeradius2 (radius1).  I used openssl on the server to generate certificates to be used in windows called cacert and cgc.

I then installed the certificates on all our windows laptops.  I am using laptop1 for testing

Originally I had a CISCO AP connected to the radius server and everything works. (wireless_ap1)

We needed to upgrade our wireless and purchased an HP AP. (wireless_ap2)


Laptop1 <---------> wireless_ap1 <-----------> radius1     this works using the above certificates
Laptop1 <---------> wireless_ap2 <-----------> radius1     this does not work using the above certificates
Laptop1 <---------> wireless_ap2 <-----------> radius1     using EAP-TLS and PAP works.

This is where I am confused.  If it is the supplicant why would it work with wireless_ap1 and not wireless_ap2 using the same settings and credentials.  This is what leads me to believe that the HP is doing something different with the packets than the the CISCO is and there is a setting in one of the config files on the radius server that needs to set or adjusted to handle the difference.

I am currently running the eaphost trace again to see if there is something I missed.

I hope this makes more sense.

Gordon Cook
Network Administrator
Sault Ste Marie Innovation Centre
Work: 705-942-6938 x3042
Cell:     705-971-3852

-----Original Message-----
From: freeradius-users-bounces+gcook=ssmic.com at lists.freeradius.org [mailto:freeradius-users-bounces+gcook=ssmic.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, July 25, 2014 8:56 AM
To: FreeRadius users mailing list
Subject: Re: HP M200 certificate authentication fails

Gordon Cook wrote:
> What I mean by the configuration needs to adjusted.
> The client using the same credentials can authenticate through the cisco ap and not the HP AP.

  OK... that's what you said already, but sure.

> There is very few settings in the HP that can be set for the radius server.

  IP address and shared secret, usually.

>  So what I am thinking is something needs to be changed, removed or added to the configuration files on the radius server to be able to work with the HP AP.

  Really?  That is a horribly vague statement.  And it doesn't agree with what you said earlier.

  You said previously you HAD changed something.  I asked you what you had changed.  Your reply now is you think something needs to be changed.

  I'm trying to help you, and you're giving vague and inconsistent answers.  This is not just annoying, you're making it impossible for me to help you.

>  I just can't find any documentation on using the HP AP with freeRadius although the specs for the AP says it should work.

  There is likely no documentation on "HP and FR".  Because there doesn't need to be.  HP documents how to configure the AP for RADIUS.
FreeRADIUS documents how to add a client.  That's it.  The vendor doesn't matter.

  In any case, the problem is likely not with the AP.  The supplicant is stopping the EAP conversation.  As I said before.  Fix the supplicant.
The web page in the debug output describes the common problems, and how to fix them.

  Alan DeKok.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list