Freeradius, SQL, Certs and Newbie
Daniel Zirkin
Zirkin at hotmail.com
Fri Oct 4 02:13:09 CEST 2019
>Normally if you configure EAP-TLS with client certs, then anyone with a
>valid client cert is allowed access. What "account info" are you
>looking for in the DB? Passwords? If so, EAP-TLS doesn't use
>passwords.
Thanks. For some reason I figured the certs would be used to"handshake" then the username/password works be checked. I didn't realize they were separate authentication routes.
Thanks for the clarification.
Daniel
>> Good evening all. Perhaps I'm going overboard... I have two WAP's
>covering 3.5 acres. I'd rather not have neighbors/neer-do-wells
>accessing our network. I've setup a separate network for outside
>secured with Freeradius.
>>
>> I have Freeradius 3.0.19 up and running on Fedora 30. I am using
>Mariadb for account information. All is well.
>
> That's good.
>
>> I've come to realize that plaintext authentication even with
>WPA3/2ent isn't all that secure. Also, I'm trying to get a few IOT
>devices to connect. Phones and laptops all work well.
>>
>> I though perhaps adding client certs into the mix would tighten
>things up.
>
> That should be fine.
>
>> I've created them and I think configured things correctly.
>>
>> eapol_test -a127.0.0.1 -p1812 -s ******* -c
>/root/Documents/eapol_test-eaptls.conf
>>
>> gives me;
>>
>> MPPE keys OK: 1 mismatch: 0
>> SUCCESS
>>
>> So now I can connect with certs or with a plaintext user/pass from
>sql. I can't seem to get it to require a cert then check the database
>for account info.
>
> What did you tell it to do?
>
>> What am I missing?
>
>We have no idea what you did, so we can't give much in the way of
>advice.
>
>Normally if you configure EAP-TLS with client certs, then anyone with a
>valid client cert is allowed access. What "account info" are you
>looking for in the DB? Passwords? If so, EAP-TLS doesn't use
>passwords.
>
> Alan DeKok.
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list