OS X Mavericks not connecting to Debian FreeRADIUS

[A.L.M.Buxey at lboro.ac.uk]

Hi,

> I'm trying to configure a FreeRADIUS server (Version 2.1.12) on
> computer running Debian Linux (Raspbain), and I'm trying to connect
> to it with a Mac laptop running OS X Mavericks (10.9).  I'm using
> the EAP-TLS Wireless WPA2-Enterprise SSL certificate method, but the
> Mac refuses to connect to the server, usually saying "Invalid
> password."   The server seems to be functioning properly, when I run
> the "freeradius  -X" command I get the "Ready to process requests"
> message and the error log does not log anything when I try to
> connect.

if you see nothing in debug mode....as you state...then the RADIUS requests
arent getting to your server.


so check your netwok settings, check the server firewall, check network ACLs
, routing and your wireless/switch configurations.


also, 2.1.12?   thats just so totally obsolete.   use at LEAST 2.2.x - and
think about using version 3 for a new deployment.

> Question #1:  Do I need an entry in the FreeRADIUS config files for
> each individual client computer I'm trying to connect to, such as in

no. just for each NAS. entries for NAS go into clients.conf  - but if thats
not got an entry, you'll stiul have 'unknown client' being printed out in debug mode

> Question #2:  In the EAP-TLS section of the "eap.conf" config file
> there is the "private_key_password" variable, and some instructions
> have told me just to comment that out.. I have also tried to use

does your server cert have a password? if so, ensure its put in there correctly.

> Question: #3:  Elsewhere I have seen instructions for using XML
> configuration profiles for setting up the networking on Mac
> computers, but I would rather not deal with that right now and
> instead I would like to just create and install the certificates
> manually to get the most basic setup running.. Presumably it is not
> mandatory to use that XML method with Mavericks for the certificates
> although please correct me if I am wrong.

.mobileconfig files are the defacto way to configure OSX systems since Lion was released.
users cannot manually configure their 802.1X settings.  if the RADIUS
CA file is known (and is private) to the system and you are using EAP-TLS and have a user certificate installed
then the user can choose that identity....EAP-TLS is nice that way.  if using PEAP or EAP-TTLS
then you really want to ensure that the client is configured correctly with all the required
RADIUS server CA and CN trust settings done properly as otherwise the client could
be talking to any RADIUS server behind a malicious AP providing same SSID :/

also....latest OSes are far more fussy about certificates...need SHA-1 or above CA/server
certs, (2.1.x was in the days of MD5....) and larger DH keys for latest forthcoming releases
(2.1.x was 256 or 512 bit?) 

alan