Troubleshooting EAP-TLS with External Certificates

Alan Buxey A.L.M.Buxey at
Thu Aug 25 11:52:04 CEST 2016


1. Installed/Configured CentOS 7 (CentOS7-x86_64-1511)
    a. Disabled SELinux
    b. Disabled firewalld

first steps. turn those back on - and configure them correctly as required
(read firewalld and selinux docs as required).

>Are there any steps I've missed?  Do I need to keep the 'dh' in /certs/?

now you have a working system, start to comment/remove things out of it that you dont need -
thinking PAP and plain CHAP etc methods. weak, insecure. use the permit_only_eap policy in your virtual server auth {} section to ensure only EAP requests are coming to it.

of course you need the DH file - its part of the process. 

what cert are you using?  still a local one or a public one? I would advise keeping with local talk about importing it to client, so that suggests its not one of the big public ones... good.

you talk about EAP-TLS...but your post only mentioned doing basic PAP and PEAP test - please dont
confuse terminology.. you havent tested a client cert yet - which is probably important if you ARE
doing EAP-TLS....


More information about the Freeradius-Users mailing list