Problem with certificates on Version 3.0.12
aland at deployingradius.com
Wed Mar 8 18:23:25 CET 2017
On Mar 8, 2017, at 12:19 PM, Rob Rutledge <robertrutledge2005 at charter.net> wrote:
> I am however having problems authenticating wireless clients on a Cisco
> 1142N autonomous access-point. I followed the instructions I found advising
> to set up open WEP authentication with EAP. The problem I am having is
> installing the certificates in the /etc/raddb/certs/ directory. The
> instructions I found advised to install the ca.der and client.p12
> certificates on my wireless workstation, Windows 10 Pro. When I try to
> install the ca certificate I get the following window pops up:
The mailing list strips attachments. Only text is allowed.
> The timer just keeps timing out and repeats itself until I disconnect the
> SSID and running FreeRADIUS in the debug mode I never see any activity in
> the debug outputs. Therefore I am to assume that the wireless client
> bridging through the ap is never even trying to talk to the FreeRADIUS
That looks like what's happening.
> I can however change the encryption methods in the AP for this SSID and it
> will authenticate. I have to configure the encryption mode ciphers for the
> SSID VLAN in the radio configuration and then set up for key-management
> authentication wpa version 2 in the SSID configuration and the wireless
> client authenticates through the FreeRADIUS server. When I set it up this
> way though I am requested to enter username/password combination and accept
> the certificate ( I would assume this is the certificate from the server to
> be validated) before the connection process completes. What concerns me is
> that I see two warnings come up in the FreeRADIUS debug logs:
> (33) WARNING: Outer and inner identities are the same. User privacy is
> (33) pap: WARNING: Auth-Type already set. Not setting to PAP
> Via this method I see that the Outer identity has the username I entered
> when I connected instead of anonymous.
That's set in the Windows 802.1X configuration. See the Windows UI for more details.
> In addition I see that PEAP is being used for the authentication process in
> the debug logs:
> (34) eap: Peer sent packet with method EAP PEAP (25)
> (34) eap: Calling submodule eap_peap to process data
> (34) eap_peap: Continuing EAP-TLS
> (34) eap_peap: [eaptls verify] = ok
> (34) eap_peap: Done initial handshake
> (34) eap_peap: [eaptls process] = ok
> (34) eap_peap: Session established. Decoding tunneled attributes
> (34) eap_peap: PEAP state send tlv success
> (34) eap_peap: Received EAP-TLV response
> (34) eap_peap: Success
> I believe a lot of this information is superfluous for the purposes of this
> post, but my main question would be why can't I install the certificates
> from the /certs/ directory?
I have no idea. I've tried to install certs on Windows repeatedly. Magically it works... magically it doesn't work. It's entirely opaque.
More information about the Freeradius-Users