[EXTERNAL] - Re: EAP failure when using production certificates

Alan DeKok aland at deployingradius.com
Wed Feb 9 21:21:57 UTC 2022


On Feb 9, 2022, at 4:17 PM, Wayne Fillmer <wfillmer at opentext.com> wrote:
> 
> Thank you kindly. After reading your email I performed the following:
> 
> 1 - removed existing certs in /etc/freeradius/3.0/certs using: rm -f *.pem *.der *.csr *.crt *.key .p12 serial*  index.txt*

  Why?  I said that the supplicant was misconfigured.  Changing FeeeRADIUS won't help, unless you figure out which CA is used on the supplicant, and then configure FreeRADIUS to use the same CA.

> 2 - Using the .cnf I included excerpts for I ran:
>     make ca.pem
>     make client.pem
>     make server.pem
> 3 - I copied the new files from /etc/freeradius/3.0/certs to a freshly formatted USB drive
> 4 - rebooted the system

  So... lots of extra work, for no real benefit.

> 5 - start the server: sudo freeradius -X
> 6 - factory reset WPA system to clear possibility of stale certificates
> 6 - imported the new ca and client certificates from the USB into the WPA supplicant (linux platfom) 

  Apparently not.  Because you're still getting the "unknown CA" error.

> 7 - attempt PEAP with bob/hello (also tried TLS/TTLS).

  Because EAP-TLS, TTLS, and PEAP all use the same CA configuration.

  You won't fix the problem by randomly changing the FreeRADIUS configuration, or by randomly creating new certificates.  You have to find out WHY the supplicant is not using the certificates you've configured.

  Import the correct CA into the supplicant, in the right location, and verify that the supplicant is using it.

  How do you do this?  See the OS documentation for how to do this.   Well, there's a million different supplicants, Linux distributions, etc.  We can't document (or even keep up with) every possible Linux distribution.

  Alan DeKok.



More information about the Freeradius-Users mailing list