Problem with EAP PEAP Authentication on freeradius 3.22

Gleb Lisikh in4bit.general at gmail.com
Thu Apr 23 23:52:47 CEST 2020 

Fair enough! :-)

If you read the following instructions, where do you think the changes will
need to be made if eap.conf file is nowhere to be found?

Edit /etc/freeradius/eap.conf with the following changes

   1. Change *default_eap_type* to “tls”
   2. Comment out all the authentication methods sections except for tls
   3. Comment out “private_key_password” with #
   4. Change *private_key_file* to ${certdir}/radius.key
   5. Change *certificate_file* to ${certdir}/radius.crt
   6. Change *CA_file* to ${cadir}/ca.crt

Below is a configuration file after the changes have made.


[image: 69f8f9b8-9b8e-450c-8b95-3a15d4c67c6a]

Thank you,

Gleb



On Thu, Apr 23, 2020 at 4:53 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Apr 23, 2020, at 4:04 PM, Gleb Lisikh <in4bit.general at gmail.com> wrote:
> >
> > For the end system OS, I have no idea...  Meraki web-based dashboard has
> a built-in test tool to validate RADIUS configuration. This is what I used
> to check my setup so far, and haven't tried any "real" client
>
>   Ah.... then it's rather more difficult to fix.
>
> > Is there any way to see from the RADIUS server side what client is
> doing/sending wrong/incorrectly?
>
>   That error message from OpenSSL is all we have/
>
> > Meraki does have a set of instructions on how to configure freeRADIUS to
> work with Meraki EAP-TLS authentication, but those seem to be dated as I
> could not even find ./etc/freeradius/eap.conf  file that they suggest to
> edit.
> >
> https://documentation.meraki.com/MR/Encryption_and_Authentication/Freeradius%3A_Configure_freeradius_to_work_with_EAP-TLS_authentication
> > Perhaps you can help me to translate those instructions into 3.022
> version terms and files to edit?
>
>   Well... no.  I don't rewrite documentation for vendors.
>
>   We have documentation on how to configure EAP-TLS.  See
> mods-available/eap.  It's relatively straightforward.
>
> > And lastly, is there anything that had to be done in principle to enable
> EAP-TLS on the server irrespective of the client behaviour?
>
>   If the error is in OpenSSL, then you have to figure out *what* to
> configure.
>
>   The server works by default.  There is no magical setting which turns
> off a *broken* configuration and enables a *working* one.
>
>   Alan DeKok.
>
>

More information about the Freeradius-Users mailing list