Troubleshooting EAP-TLS with External Certificates

Matthew West matthew.t.west at gmail.com
Fri Sep 16 00:05:58 CEST 2016


> I've updated check-eap-tls to show where you also need to
> enable it to make it easier for others. Thanks.

Awesome!  Thank you.

> If you haven't already, check your config into git/svn/whatever so
> you can go back to a working version if you break it. It helps,
> really.

OK!  I've been keeping backups and copies of the original files...
The devs in my office run git, maybe I can jump on their server.

>Just a last reminder that because you're using public certs, you
> need to be *very* careful you don't let unwanteds in. For example,
> check that another certificate with the subject something.acme.com
> from the same CA won't validate.

Yes, I am very concerned about this and will be working with one of
our devs to get the right regex for that as well.  Thanks for pointing
that out.

> Good you've got it working. FreeRADIUS has very flexible and
> powerful config but it can sometimes take a while to get your head
> around it when you're not doing the very basics.

Thank you again.  I can tell it's a great piece of software.  I'm
coming at this from an 802.1X need, but the company I work for also
does a lot of work with telecom providers and ISPs.  Our products are
analytic in nature (i.e. - line speed packet analysis, IP to endpoint
matching, compliance, and reporting), so more packet analysis of
RADIUS, not for operational use.  Despite having resources that know
how to gleam information from RADIUS packets, nobody deploys the
service itself.

If I want to learn more of what RADIUS can do outside of the 802.1X
infrastructure, do you recommend the O'Reilly RADIUS book, or is that
out of date?

Thank You,

Matthew West




On Thu, Sep 15, 2016 at 2:25 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Thu, Sep 15, 2016 at 02:11:22PM -0700, Matthew West wrote:
>> Off to learning CRLs and removing all non-EAP-TLS authentication
>> mechanisms.
>
> If you haven't already, check your config into git/svn/whatever so
> you can go back to a working version if you break it. It helps,
> really.
>
>> After that, I should have the server functioning the way
>> that was requested of me.
>
> Just a last reminder that because you're using public certs, you
> need to be *very* careful you don't let unwanteds in. For example,
> check that another certificate with the subject something.acme.com
> from the same CA won't validate.
>
>> Thank you all for helping me along.
>
> Good you've got it working. FreeRADIUS has very flexible and
> powerful config but it can sometimes take a while to get your head
> around it when you're not doing the very basics.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list