[EXTERNAL] - Re: EAP failure when using production certificates

Wed Feb 9 22:24:33 UTC 2022

> > 1 - removed existing certs in /etc/freeradius/3.0/certs using: rm -f *.pem *.der *.csr *.crt *.key .p12 serial*  index.txt*

>   Why?  I said that the supplicant was misconfigured.  Changing FeeeRADIUS
> won't help, unless you figure out which CA is used on the supplicant, and
> then configure FreeRADIUS to use the same CA.

My mistake I thought you were implying that I imported the wrong CA from my USB stick. The certificate import routine on the supplicant was already working and has not changed so when you said I did not install the correct CA on the supplicant I misunderstood the meaning. 

> > 2 - Using the .cnf I included excerpts for I ran:
> >     make ca.pem
> >     make client.pem
> >     make server.pem
> > 3 - I copied the new files from /etc/freeradius/3.0/certs to a freshly
> formatted USB drive
> > 4 - rebooted the system
> 
>   So... lots of extra work, for no real benefit.

Correct. I have been doing similarly busy but unproductive work for several days.  

> > 5 - start the server: sudo freeradius -X
> > 6 - factory reset WPA system to clear possibility of stale certificates
> > 6 - imported the new ca and client certificates from the USB into the WPA
> supplicant (linux platfom)
> 
>   Apparently not.  Because you're still getting the "unknown CA" error.

Until this moment I have been focused on troubleshooting the freeRADIUS implementation and new production certificates because that is what is new. I had a server on this network that was working but the certificates expired. Since we had to update the system hardware anyway, I used to opportunity to install a new instance of freeRADIUS. The WPA supplicant implementation has not changed other than the newly created/imported certificates. 

>   You won't fix the problem by randomly changing the FreeRADIUS
> configuration, or by randomly creating new certificates.  You have to find out
> WHY the supplicant is not using the certificates you've configured.

key info, cheers.

>   Import the correct CA into the supplicant, in the right location, and verify
> that the supplicant is using it.

Ok - I can do this. Maybe we have a bug in the way our supplicant is handling expired certificates. I will take a close look. I appreciate your super fast responsiveness with this. 