unknown CA when trying to authenticate
Tyler Montney
montneytyler at gmail.com
Mon Feb 22 17:22:43 CET 2021
"That really isn't answering my question. Do the users have access to the
shell on the Unifi controller? Or are the users trying to gain network
access via WiFi? If it's the second one, then again... what is the user
system running? How did you configure it?"
For instance, a Windows client trying to connect to a WiFi network. It
tries to connect, is prompted for a username and password, then says "Can't
connect to this network". (Simultaneously, I have "freeradius -X" running,
where I see the CA error.)
"You configured the end-user system to use WiFi."
The only thing I have done on the end user system is import the root CA.
"There is existing documentation which tells you how to configure WiFi."
Please verify which documentation you're referring to, so that I know we're
on the same page.
On Mon, Feb 22, 2021 at 10:05 AM Alan DeKok <aland at deployingradius.com>
wrote:
> On Feb 22, 2021, at 10:46 AM, Tyler Montney <montneytyler at gmail.com>
> wrote:
> >
> > " What is the user system running? How does it authenticate?"
> >
> > Same OS as FreeRadius, running the Unifi Controller. The controller
> > authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
> > database.
>
> That really isn't answering my question.
>
> Do the users have access to the shell on the Unifi controller? Or are
> the users trying to gain network access via WiFi?
>
> If it's the second one, then again... what is the user system running?
> How did you configure it?
>
> > "Where does it get the certificates from?"
> >
> > An internal "LetsEncrypt", step-ca.
>
> That is also not answering my question. You configured the end-user
> system to use WiFi. As part of that process, you either did (or didn't)
> configure names, EAP type, certificates, etc.
>
> So... did you do that? If so, what did you do?
>
> > "The certificate store you edited is used for web authentication, not
> WiFi."
> >
> > Yes, but the EAP module is pointing to that store. I don't see how that's
> > related to web authentication.
>
> In most systems, the default certificate stores are different for Web
> and for EAP. You do NOT want to use the same certificate store for both.
>
> > If I set the LDAP module's "require_cert" to
> > 'demand' (rather than 'allow'), freeradius will refuse to start with a
> > similar error. It fails to connect over LDAPS.
>
> At this point, it's not at all clear what you're doing, or why.
>
> You aren't configuring FreeRADIUS using the normal process of putting
> the certs into raddb/certs. You aren't following any of the available "how
> to" guides for configuring FreeRADIUS, or EAP, or WiFi.
>
> There is existing documentation which tells you how to configure WiFi.
> Please follow it.
>
> And please also understand that *end user* systems are different than
> the Unifi controller, where you configure FreeRADIUS. Those end-user
> systems also need to be configured correctly for EAP / WiFi. It looks very
> much like you haven't done that.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list