Proxy to realm after eap-ttls authantication

Alan DeKok aland at deployingradius.com
Mon Nov 23 14:45:54 CET 2020


On Nov 23, 2020, at 8:40 AM, Mesut Ozturk <mesut at nevotek.com> wrote:

  Please send messages to the list ONCE, and ONLY ONCE.  There is NO NEED to send the SAME MESSAGE MULTIPLE TIMES.

  If you insist on posting the same messages multiple times, you will be banned from the list.

> I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.
> 
> My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.

  That should work.

> According to my readings i did below steps :
> 
> 1 . Edit clients.conf for my mobile devices to Access freeradius
> ...
> 2. add home_server in proxy.conf
> ...
> 3. edit eap.cof
> ...
> 4. prepare Proxy.config soft link for sites-enabled, added nevotek  in proxy-inner-tunnel:

  Yes, all that should work.

> But no chance. Also android and IOS devices has different behaviors.

  Because they are configured differently.

> And here is the output of Android device :
> ...
> (3) eap_ttls: <<< recv TLS 1.2  [length 0002]
> (3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
> (3) eap_ttls: TLS_accept: Need to read more data: error
> (3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

  That's pretty definitive.

  The Android device wasn't configured with the CA used by FreeRADIUS.  So... add the CA to the android system, and configure it to use that CA when authenticating to FreeRADIUS.

  Alan DeKok.




More information about the Freeradius-Users mailing list