Problem with certificates on Version 3.0.12

Alan DeKok aland at deployingradius.com
Wed Mar 8 18:23:25 CET 2017 

On Mar 8, 2017, at 12:19 PM, Rob Rutledge <robertrutledge2005 at charter.net> wrote:
> 
> I am however having problems authenticating wireless clients on a Cisco
> 1142N autonomous access-point.  I followed the instructions I found advising
> to set up open WEP authentication with EAP.  The problem I am having is
> installing the certificates in the /etc/raddb/certs/ directory.  The
> instructions I found advised to install the ca.der and client.p12
> certificates on my wireless workstation, Windows 10 Pro.  When I try to
> install  the ca certificate I get the following window pops up: 

  The mailing list strips attachments.  Only text is allowed.

> The timer just keeps timing out and repeats itself until I disconnect the
> SSID and running FreeRADIUS in the debug mode I never see any activity in
> the debug outputs.  Therefore I am to assume that the wireless client
> bridging through the ap is never even trying to talk to the FreeRADIUS
> server.  

  That looks like what's happening.

> I can however change the encryption methods in the AP for this SSID and it
> will authenticate.  I have to configure the encryption mode ciphers for the
> SSID VLAN in the radio configuration and then set up for key-management
> authentication wpa version 2 in the SSID configuration and the wireless
> client authenticates through the FreeRADIUS server.  When I set it up this
> way though I am requested to enter username/password combination and accept
> the certificate ( I would assume this is the certificate from the server to
> be validated) before the connection process completes.   What concerns me is
> that I see two warnings come up in the FreeRADIUS debug logs:
> 
> 
> 
> (33) WARNING: Outer and inner identities are the same.  User privacy is
> compromised.
> 
> (33) pap: WARNING: Auth-Type already set.  Not setting to PAP
> 
> 
> 
> Via this method I see that the Outer identity has the username I entered
> when I connected instead of anonymous. 

  That's set in the Windows 802.1X configuration.  See the Windows UI for more details.

> In addition I see that PEAP is being used for the authentication process in
> the debug logs:
> 
> 
> 
> (34) eap: Peer sent packet with method EAP PEAP (25)
> 
> (34) eap: Calling submodule eap_peap to process data
> 
> (34) eap_peap: Continuing EAP-TLS
> 
> (34) eap_peap: [eaptls verify] = ok
> 
> (34) eap_peap: Done initial handshake
> 
> (34) eap_peap: [eaptls process] = ok
> 
> (34) eap_peap: Session established.  Decoding tunneled attributes
> 
> (34) eap_peap: PEAP state send tlv success
> 
> (34) eap_peap: Received EAP-TLV response
> 
> (34) eap_peap: Success
> 
> 
> 
> I believe a lot of this information is superfluous for the purposes of this
> post, but my main question would be why can't I install the certificates
> from the /certs/ directory?  

  I have no idea.  I've tried to install certs on Windows repeatedly.  Magically it works... magically it doesn't work.  It's entirely opaque.

  Alan DeKok.

More information about the Freeradius-Users mailing list