Freeradius + EAP Certificates
-
Hi,
Ok, now I understand your problem. I've looked at the document you linked. I have one main difference:
in the authentication section it is posted that for the EAP type you need to select "Geschütztes EAP (PEAP)". I have "Smart Card or other Certificate" (this is the other setting).
If you look here -> http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
It is described that PEAP is similar to TTLS. It is basically a tunnel that is generated. TTLS or PEAP has an inner and an outer layer. One is the certificate the other is uid/pw. thats why you are being prompted for uid/pw.
for my config I only used EAP (so only the certificate authentication without a tunnel). therefore also the "smart card or other certificate" setting in the EAP type.
Since your computers are not connected to a domain you cannot pass the creditials (thats why you're being prompted).
Now the question is do you need PEAP, or is EAP sufficiant ?
Cheers
Alexander
-
Hi,
I think it would be enough with EAP. It will be better than only MAC address filtering I think.
I tried with "other certificate or smartcard" but I think I missed some checkboxes there.
Do you have a solution for me how to configure it the right way ? -
Nachtfalke,
here are my config screens … in the second screen the "intern-CA" is my CA that is used for the client and server certificate.
I cannot test it on my LAN, since my radius isn't configed for this, but it is identical to my WLAN config. After connecting to the LAN, and aquiring an IP address you should be prompted for the certificate needed for the authentication.
Additional on your Cisco switch can you explicitly config the authentication to EAP ? So that the switch explicitly uses this authentication method.
If this doesn't work, could you post the config of the cisco and also the "radiusd -X" log (this then has the config and also the challenge/response during the authentication.
Regards
Alexander
-
Hi,
thanks for you help and screens. I think I did something close to your pics but not every checkboy is the same.
I will try it on monday.Thanks.
-
Hi,
erm I understand you correctly, you use your own radius install and not the package from the pfsense gui?
Thanks
Chunk0r -
Hi,
erm I understand you correctly, you use your own radius install and not the package from the pfsense gui?
Thanks
Chunk0rseggerman is using his own RADIUS, I am using the pfsense package.
-
Thanks,
I'm also confused of wifi access, so I want connect my AP with the Radius server, so that my clients has to be auth with wpa2 against radius.
So my wpa2 key is the secret share key of radius? Cauz if I activate wpa2+eap on my openwrt AP, I don't have any other key field. -
Your ap is the authenticator for the radius ( so you add it like client at radius )
One place where you can have more info for that is (sorry guys) microsoft technet, there is quite well explained the roles of the devices -
There is a difference between ENCRYPTION and AUTHENTICATION.
The WPA2 key is the key to encrypt the wireless traffic. It is used between the W-AP and the W-Client.
The password for AUTHENTICATION is between RADIUS and AP.
-
Quite easy photo, but it's written in Finnish
-
ah ok, but where I save my wpa key if the secret share is for the client auth?