Problem with certificates on Version 3.0.12
Rob Rutledge
robertrutledge2005 at charter.net
Wed Mar 8 18:19:58 CET 2017
Hello all,
I have successfully installed and have running FreeRADIUS Version 3.0.12.
I have been able to use PAP to authenticate fine with all my network
devices, i.e. Cisco.
I am however having problems authenticating wireless clients on a Cisco
1142N autonomous access-point. I followed the instructions I found advising
to set up open WEP authentication with EAP. The problem I am having is
installing the certificates in the /etc/raddb/certs/ directory. The
instructions I found advised to install the ca.der and client.p12
certificates on my wireless workstation, Windows 10 Pro. When I try to
install the ca certificate I get the following window pops up:
When I try to install the client certificate this window pops up:
It appeared that the .pem files installed as certificates, but when I try to
authenticate to the SSID in question I get the following debug outputs in my
Cisco AP:
Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: client is added to
the client list for application 0x1
Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: Created new client
for application 0x1
Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: req->auth_type 0
Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth:
auth_methods_inprocess: 2
Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: eap list name:
eap_methods
Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth: Start auth method EAP
or LEAP
Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_auth_dot1x: in the
dot11_auth_dot1x_start
Mar 8 10:49:03.265 CST: (0000.0000.0000): dot11_dot1x: Sending identity
request to client
Mar 8 10:49:03.265 CST: EAPOL pak dump tx
Mar 8 10:49:03.265 CST: EAPOL Version: 0x1 type: 0x0 length: 0x003D
Mar 8 10:49:03.265 CST: EAP code: 0x1 id: 0x1 length: 0x003D type: 0x1
06021490: 0100003D 0101003D 01006E65 74776F72 ...=...=..networ
060214A0: 6B69643D 42696742 616E675F 322C6E61 kid=BigBang_2,na
060214B0: 7369643D 74787765 61686F6D 78702D61 sid=txweahomxp-a
060214C0: 70313134 32303031 2C706F72 7469643D p1142001,portid=
060214D0: 30 0
Mar 8 10:49:03.266 CST: (0000.0000.0000): dot11_auth: sending data to
requestor status 1
txweahomxp-ap1142001#
Mar 8 10:49:03.266 CST: (0000.0000.0000): dot11_auth: Sending EAPOL to
requestor
Mar 8 10:49:03.266 CST: (0000.0000.0000): dot11_dot1x: Client timer started
for 30 seconds
The timer just keeps timing out and repeats itself until I disconnect the
SSID and running FreeRADIUS in the debug mode I never see any activity in
the debug outputs. Therefore I am to assume that the wireless client
bridging through the ap is never even trying to talk to the FreeRADIUS
server.
I can however change the encryption methods in the AP for this SSID and it
will authenticate. I have to configure the encryption mode ciphers for the
SSID VLAN in the radio configuration and then set up for key-management
authentication wpa version 2 in the SSID configuration and the wireless
client authenticates through the FreeRADIUS server. When I set it up this
way though I am requested to enter username/password combination and accept
the certificate ( I would assume this is the certificate from the server to
be validated) before the connection process completes. What concerns me is
that I see two warnings come up in the FreeRADIUS debug logs:
(33) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(33) pap: WARNING: Auth-Type already set. Not setting to PAP
Via this method I see that the Outer identity has the username I entered
when I connected instead of anonymous.
In addition I see that PEAP is being used for the authentication process in
the debug logs:
(34) eap: Peer sent packet with method EAP PEAP (25)
(34) eap: Calling submodule eap_peap to process data
(34) eap_peap: Continuing EAP-TLS
(34) eap_peap: [eaptls verify] = ok
(34) eap_peap: Done initial handshake
(34) eap_peap: [eaptls process] = ok
(34) eap_peap: Session established. Decoding tunneled attributes
(34) eap_peap: PEAP state send tlv success
(34) eap_peap: Received EAP-TLV response
(34) eap_peap: Success
I believe a lot of this information is superfluous for the purposes of this
post, but my main question would be why can't I install the certificates
from the /certs/ directory?
Thanks for any and all help.
Rob Rutledge, CCNP CCDP
More information about the Freeradius-Users
mailing list