Freeradius CRL Problem - combined CA and CRL dont work
Alan DeKok
aland at deployingradius.com
Sat Jun 29 13:51:52 UTC 2024
On Jun 29, 2024, at 9:10 AM, PiotrChm <piotrchm93 at gmail.com> wrote:
> Dear community, I am asking for help. I've been struggling with configuring Freeradius in my home lab for several days. And I've reached a wall that I can't overcome.
> What does the architecture look like:
http://wiki.freeradius.org/list-help
What we need to see is the debug output of the server. That tells us what is going on. Most of the rest of the information here isn't helpful. The documentation above also says "don't post the configuration files". It's not useful.
> My main problem is the CRL not working.
What does that mean?
The server produces messages when it runs. Either it produces messages that there's an error with the CRL, or it produces messages that it's checking the CRL, or it produces no messages about the CRL.
The actual error is in those messages. "It didn't work" is a description which is so vague as to be meaningless.
> I made a combined rootCA+CRL certificate in pem.
> I deleted the .cnf files in /etc/freeradius/3.0/certs because I don't want to use an external CA (xCA).
Those are just configuration files, used to create certs. They're not used for anything while the server is running. The documentation in that directory makes this clear.
> sudo freeradius -XC => Configuration appears to be OK
> Then start freeradius -X => shows no errors
Maybe it shows some other information. i.e. if you're not familiar with FreeRADIUS, then you can likely read that, and miss a meaningful message. That's why the documentation says to post the debug output to the list.
> Here is my second question - is it possible to set double authorization, i.e. the user must have an installed certificate and then provide the login and password from AD to connect to WiFi?
That depends on the EAP method. TTLS and PEAP can do this (mostly, sometimes). But it depends on the client software.
> Below are the configuration files (most # comments removed, I left a few for example)
Nearly all of this is not helpful.
Please read the documentation. Please follow the instructions.
Alan DeKok.
More information about the Freeradius-Users
mailing list