Problem with certificates on Version 3.0.12

Rob Rutledge robertrutledge2005 at charter.net
Wed Mar 8 18:19:58 CET 2017


Hello all,

 

I have successfully installed and have running FreeRADIUS Version 3.0.12.  

 

I have been able to use PAP to authenticate fine with all my network
devices, i.e. Cisco.  

 

I am however having problems authenticating wireless clients on a Cisco
1142N autonomous access-point.  I followed the instructions I found advising
to set up open WEP authentication with EAP.  The problem I am having is
installing the certificates in the /etc/raddb/certs/ directory.  The
instructions I found advised to install the ca.der and client.p12
certificates on my wireless workstation, Windows 10 Pro.  When I try to
install  the ca certificate I get the following window pops up: 

 



 

When I try to install the client certificate this window pops up:

 



 

It appeared that the .pem files installed as certificates, but when I try to
authenticate to the SSID in question I get the following debug outputs in my
Cisco AP:

 

Mar  8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: client is added to
the client list for application 0x1

Mar  8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: Created new client
for application 0x1

Mar  8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: req->auth_type 0

Mar  8 10:49:03.265 CST: (0000.0000.0000): dot11_auth:
auth_methods_inprocess: 2

Mar  8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: eap list name:
eap_methods

Mar  8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: Start auth method EAP
or LEAP

Mar  8 10:49:03.265 CST: (0000.0000.0000): dot11_auth_dot1x: in the
dot11_auth_dot1x_start

Mar  8 10:49:03.265 CST: (0000.0000.0000): dot11_dot1x: Sending identity
request to client

Mar  8 10:49:03.265 CST: EAPOL pak dump tx

Mar  8 10:49:03.265 CST: EAPOL Version: 0x1  type: 0x0  length: 0x003D

Mar  8 10:49:03.265 CST: EAP code: 0x1  id: 0x1  length: 0x003D type: 0x1

06021490: 0100003D 0101003D 01006E65 74776F72  ...=...=..networ

060214A0: 6B69643D 42696742 616E675F 322C6E61  kid=BigBang_2,na

060214B0: 7369643D 74787765 61686F6D 78702D61  sid=txweahomxp-a

060214C0: 70313134 32303031 2C706F72 7469643D  p1142001,portid=

060214D0: 30                                   0

Mar  8 10:49:03.266 CST: (0000.0000.0000): dot11_auth: sending data to
requestor status 1

txweahomxp-ap1142001#

Mar  8 10:49:03.266 CST: (0000.0000.0000): dot11_auth: Sending EAPOL to
requestor

Mar  8 10:49:03.266 CST: (0000.0000.0000): dot11_dot1x: Client timer started
for 30 seconds

 

The timer just keeps timing out and repeats itself until I disconnect the
SSID and running FreeRADIUS in the debug mode I never see any activity in
the debug outputs.  Therefore I am to assume that the wireless client
bridging through the ap is never even trying to talk to the FreeRADIUS
server.  

 

I can however change the encryption methods in the AP for this SSID and it
will authenticate.  I have to configure the encryption mode ciphers for the
SSID VLAN in the radio configuration and then set up for key-management
authentication wpa version 2 in the SSID configuration and the wireless
client authenticates through the FreeRADIUS server.  When I set it up this
way though I am requested to enter username/password combination and accept
the certificate ( I would assume this is the certificate from the server to
be validated) before the connection process completes.   What concerns me is
that I see two warnings come up in the FreeRADIUS debug logs:

 

(33) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(33) pap: WARNING: Auth-Type already set.  Not setting to PAP

 

Via this method I see that the Outer identity has the username I entered
when I connected instead of anonymous. 

 

In addition I see that PEAP is being used for the authentication process in
the debug logs:

 

(34) eap: Peer sent packet with method EAP PEAP (25)

(34) eap: Calling submodule eap_peap to process data

(34) eap_peap: Continuing EAP-TLS

(34) eap_peap: [eaptls verify] = ok

(34) eap_peap: Done initial handshake

(34) eap_peap: [eaptls process] = ok

(34) eap_peap: Session established.  Decoding tunneled attributes

(34) eap_peap: PEAP state send tlv success

(34) eap_peap: Received EAP-TLV response

(34) eap_peap: Success

 

I believe a lot of this information is superfluous for the purposes of this
post, but my main question would be why can't I install the certificates
from the /certs/ directory?  

 

Thanks for any and all help. 

 

 

 

Rob Rutledge, CCNP CCDP

 



More information about the Freeradius-Users mailing list