Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up Freeradius - Not getting client prompt for Cert acceptance [RESOVLED]

    pfSense Packages
    2
    9
    13.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ck42
      last edited by

      Setting up Freeradius for EAP-PEAP and believe I have everything setup and ready to go.  The problem is that when I have a client attempt to connect, I never see the prompt for the server cert I created in the pfsense cert manager.

      Have tried on two separate Win7 clients.  Not sure where to go from here.

      rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=119, length=224
        User-Name = "chris"
        Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
        Calling-Station-Id = "00-27-10-51-50-F4"
        Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
        Symbol-Current-ESSID = "NULL-T"
        NAS-Port = 1
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1400
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.0.101
        NAS-Identifier = "7131-DRm"
        NAS-Port-Id = "radio2"
        Connect-Info = "CONNECT 300Mbps 802.11an"
        EAP-Message = 0x0201000a016368726973
        Message-Authenticator = 0xec13edf1bb0cbebf4d17ceb0b0cd1b8e
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "chris", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry chris at line 2
++[files] returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] returns noop
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-27-10-51-50-F4
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 119 to 192.168.0.101 port 1071
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x049e6912049c7011beb991aee0a3b1c2
Finished request 30.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=120, length=337
        User-Name = "chris"
        Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
        Calling-Station-Id = "00-27-10-51-50-F4"
        Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
        Symbol-Current-ESSID = "NULL-T"
        NAS-Port = 1
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1400
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.0.101
        NAS-Identifier = "7131-DRm"
        NAS-Port-Id = "radio2"
        Connect-Info = "CONNECT 300Mbps 802.11an"
        State = 0x049e6912049c7011beb991aee0a3b1c2
        EAP-Message = 0x0202006919800000005f160301005a010000560301515cd999803d50ec34314f837e3ca5a084ded764701a3ca7abf7fa16edaf277b000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
        Message-Authenticator = 0x30375bd20ca2e7ae301002aab17c6913
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "chris", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 2 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 097e], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 120 to 192.168.0.101 port 1071
        EAP-Message = 0x0103040019c0000009c216030100310200002d0301515cd998ffb57c469c3a29b30496288244578726bf4dbf35a3d9ef70bf27316600002f000005ff01000100160301097e0b00097a0009770004f1308204ed308203d5a003020102020102300d06092a864886f70d010105050030818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361301e
        EAP-Message = 0x170d3133303430343031303135365a170d3233303430323031303135365a308192310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311c301a060355040313137261646975732e636b656c6c792e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c4139a9bec7714fd669a7d6be2f88d7533f80727d0ecc14226b74354750415c67c7b9f98446b51bd23
        EAP-Message = 0x1ffe5ebd1ec5aed27224c8aa0d078e431e74f55beee85fde0195c083c66ddc917164f156b201e46004c592e51c3e0693f847f8ff4675e34ab16909a2680216f55b4e99501bddb5b1c32ec0b4ce84589fde697581c3b5912a4b4b1a659aa37e8c83e241a8df17814be4db87fb1b7e0d30475176b4d898116208e3abbe5a7bba503f5cec9a6b14295b2edc6ed2ea545cfbf8285602d7a39f05d69d04e4e9ede331c052a3fd0b6575999623064e3b4a61dd53b52f4e27ffcbcc056be478e0addc0a83a5cfe12283863e37ccfa85d29747e0840655f89794290203010001a38201523082014e30090603551d1304023000301106096086480186f842010104
        EAP-Message = 0x0403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e04160414c40e05c372c7367fc05ec3b7637c88a74cb122813081b70603551d230481af3081ac80140ffb11356c6450890b4abe34d471c347b066369da18190a4818d30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430
        EAP-Message = 0x120603550403130b696e7465
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x049e6912059d7011beb991aee0a3b1c2
Finished request 31.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=121, length=238
        User-Name = "chris"
        Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
        Calling-Station-Id = "00-27-10-51-50-F4"
        Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
        Symbol-Current-ESSID = "NULL-T"
        NAS-Port = 1
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1400
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.0.101
        NAS-Identifier = "7131-DRm"
        NAS-Port-Id = "radio2"
        Connect-Info = "CONNECT 300Mbps 802.11an"
        State = 0x049e6912059d7011beb991aee0a3b1c2
        EAP-Message = 0x020300061900
        Message-Authenticator = 0x69f5705b94d25d326a384f8cf51bb08b
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "chris", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 121 to 192.168.0.101 port 1071
        EAP-Message = 0x010403fc1940726e616c2d636182010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100263fadbadbe85dc29621ee1dc252de4124152a96a0a245481f7f53dd9d88759bd2d145cb0a9ffa53afe0b6dd2e55a504f821f0c85a1e38fdac567f95913f17473b8c93430e673194409a522acb6037f829686ae264653ee9b174151c60d5483f23d0545c5d00c067b20ae717049c940d10c6c5700b66457c175c66d87f8489c4781fa2d21cbc9126e724396c37835a354a5d1c1d1714d0783d0c9988c8bea3775c1c0d0c708517cf21239ee958488cbad9304f1946e2b4
        EAP-Message = 0xac20314f9daa1886266946fd8bebdcf6151f91da71f7f8ff1da25d7c1be1c6a25122b168631390aa8f86040fd7f2f824e6cfed20bb0c91f3a88fb1e204678be24edd2e1eec1dc135ef0004803082047c30820364a003020102020100300d06092a864886f70d010105050030818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361301e170d31
        EAP-Message = 0x33303430343030353833385a170d3233303430323030353833385a30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d636130820122300d06092a864886f70d01010105000382010f003082010a0282010100a6411b08e5017a5b84564912b8b59327f7c24a30f816a915b0af31c48564b6024058e0599324c7162df9bd3593e562d91c9cab3e
        EAP-Message = 0x790713244ad3493e809c5bb1794a547f1683b692bec74d8bc2fb7d7bdeafc832d0f8020175491d33c66b9e977cec8f7899b5b2791d3d19c0324ef3ea7dada2c524949de71959a9711ab62941e12d47561b90af29f3832f00d3dc5447cde009b051160bea1a1ca32fa6a0512f86dd2a29620c871f47a43565f7046490f69697ecad39152dd19f45a4f98cee64b5e80b39913d9cb9cd55294ef979ce699ad039db1de7a474699e4b998a5c4315c924f0ac98b21838a881a32b1fad6a0b32a2e1eac0b49b4aa2dc9d1f22efac570203010001a381ea3081e7301d0603551d0e041604140ffb11356c6450890b4abe34d471c347b066369d3081b70603551d
        EAP-Message = 0x230481af3081ac80
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x049e6912069a7011beb991aee0a3b1c2
Finished request 32.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=122, length=238
        User-Name = "chris"
        Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
        Calling-Station-Id = "00-27-10-51-50-F4"
        Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
        Symbol-Current-ESSID = "NULL-T"
        NAS-Port = 1
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1400
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.0.101
        NAS-Identifier = "7131-DRm"
        NAS-Port-Id = "radio2"
        Connect-Info = "CONNECT 300Mbps 802.11an"
        State = 0x049e6912069a7011beb991aee0a3b1c2
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x1d3fd076d700c45bfbbbd5acdf9171c1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "chris", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 122 to 192.168.0.101 port 1071
        EAP-Message = 0x010501dc1900140ffb11356c6450890b4abe34d471c347b066369da18190a4818d30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005f71185515fedac98bf24b8843970db4f5a2aaa722c1189fb2074e238fdb87b3c516e7b0aeef4b5fcd9c
        EAP-Message = 0x5f01fb8b70a32589336685f9fa23ae42d2e7c620f8c1a6cc05b709fb8a5b87b841b1c3390529db1c2b3d3d8d1add0b48ae16f5c60c1245487096b531172114692c176338aa97a871479000defbc5caf42821d93c1fb7dea1a69e2851aab6a9fe73a5a1dfdce1ec55a0555576f6b03eba2dd3e2f28ddf87e9cb13bb692fb784b3e5e22befdfedc164c93d4d89098272cb0a7740c9cf7e1bd676fb0059b82fd33a3661055a1ccf7f70ea0a9c39aadb6a9214b838e4dacefaabab7a70e643ea1acdfea09f7942cf34c3ddc0d386290f5643dbacce0f05a216030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x049e6912079b7011beb991aee0a3b1c2
Finished request 33.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=123, length=249
        User-Name = "chris"
        Acct-Session-Id = "6896F9E0-0027105150F4-0000000950"
        Calling-Station-Id = "00-27-10-51-50-F4"
        Called-Station-Id = "00-23-68-95-2C-42:NULL-T"
        Symbol-Current-ESSID = "NULL-T"
        NAS-Port = 1
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1400
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.0.101
        NAS-Identifier = "7131-DRm"
        NAS-Port-Id = "radio2"
        Connect-Info = "CONNECT 300Mbps 802.11an"
        State = 0x049e6912079b7011beb991aee0a3b1c2
        EAP-Message = 0x0205001119800000000715030100020230
        Message-Authenticator = 0x0c8648b9543098dcc1f4cdd8f0d13113
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "chris", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "chris", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 5 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca  
TLS Alert read:fatal:unknown CA
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4 
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
        expand:  -> 
Login incorrect (TLS Alert read:fatal:unknown CA): [chris/<via auth-type="EAP">] (from client testAP port 1 cli 00-27-10-51-50-F4) 
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> chris
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 34 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 34
Sending Access-Reject of id 123 to 192.168.0.101 port 1071
        EAP-Message = 0x04050004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 30 ID 119 with timestamp +998
Cleaning up request 31 ID 120 with timestamp +998
Cleaning up request 32 ID 121 with timestamp +998
Cleaning up request 33 ID 122 with timestamp +998
Waking up in 1.2 seconds.
Cleaning up request 34 ID 123 with timestamp +999
Ready to process requests.</via>
      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        You have to create the CA and server cert on pfsense "Cert Manager" or you import it from somewhere else.
        After that go to:
        services –> freeradius --> EAP
        Select "CHose pfsense Cert Manager"
        empty the privat key password - you do not need any
        select your CA
        select your SERVER cert
        click save

        Sometimes it could help to click a second time "Save".

        On Windows you must make sure that the client has enabled to verify the CA. This is not always the case and can be disabled.
        Take a look here. It shows you the "validate server certificate"
        http://i.technet.microsoft.com/dynimg/IC120658.gif

        http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#PEAP_and_MSCHAPv2

        1 Reply Last reply Reply Quote 0
        • C
          ck42
          last edited by

          That's pretty much how I have it set up.  The only difference was that I had set a Private Key password in the Certificates for TLS section in the EAP tab.  Tried saving a couple extra times too.
          No difference in the behavior though.

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            You can try to go to

            /usr/local/etc/raddb/certs/

            and delete the certificates there.

            After that go back to the GUI, select your CA and server cert and click save and make sure it places the certificates in the path I postet above.
            If it does then it should be ok.

            With the GUI tab "View config" you can check eap.conf if it points to the correct certificates.

            Did you disable the WEAP EAP types ? If you disabled them then please try to enable them and try again.

            From googleing:
            Are you using an intermediate certificate ?

            1 Reply Last reply Reply Quote 0
            • C
              ck42
              last edited by

              Before I actually delete anything in the certs, directory, are you saying that I should delete all the files or just certain ones?

              I have already disabled the weak EAP types.  Once I get an answer for the above, I'll try with and w/o again.
              Regarding the Intermediate cert, don't think I am since I didn't do anything to set this up.  Just trying to setup a self-signed cert at this point…and from what I've been reading, I probably don't even want to use a root CA cert, for security reasons.  If you feel like responding this this subject, would love to hear your thoughts.  ;D

              [EDIT]
              In Cert Manager->Certificates, I deleted the existing CA and server certs I had previously created and then regenerated them.
              Looking the /certs dir, I do see new instances of (ca_cert.pem, ca_key.pem, server_cert.pem, and server_key.pem).
              Also enabled the weak EAP option.

              Still not being prompted to accepted cert though.

              Regarding the Intermediate cert: I'm assuming that I use the 'Create an Internal CA' option.  I did NOT use the Intermediate option.

              [EDIT-2]
              Found the culprit.
              Apparently, I needed to have the User 'Password Encryption' set to Cleartext, instead of MD5.

              1 Reply Last reply Reply Quote 0
              • N
                Nachtfalke
                last edited by

                Yes of course. User password encryption must be cleartext. I didn't thought on this fact.  ::)
                The encryption on "Users" encrypts just the password in the users file. But if you do so then the authentication module must be able to decode this one. I am not to familar with that but as far as I know this works with PAP.

                1 Reply Last reply Reply Quote 0
                • C
                  ck42
                  last edited by

                  So it looks like I'm 99% there.

                  If I configure the client to validate the server cert but do not specify any certs in the trusted root CA list, I get the 'Credentials provided by the server couldn't be validated' warning, and can choose to accept and connect…and it works.

                  But, next I:
                  Export the ca.crt from pfsense (Cert Manager->Certificates) and then import it into the Win7 client (added to both the Personal and root CA stores)
                  Reconfigure the client to Validate the server cert that I imported, that is now listed in the list trusted root CAs
                  Upon trying to connect, I enter my login info and then I get the message that I'm unable to connect.

                  Looking at the CLI logs, I once again see messages:

                  [peap] eaptls_verify returned 11
                  [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca  
                  TLS Alert read:fatal:unknown CA
                     TLS_accept: failed in SSLv3 read client certificate A

                  Seems like the client supplicant isn't making use of the ca cert I imported.
                  I've tried deleting the cert on the client (using mmc) and re-importing the ca cert again.  No luck.

                  [EDIT] Fixed it.
                  Apparently I have a lot to learn about certs.
                  I needed to export the CA cert that is listed under the "CAs" tab in the Cert Manager.
                  What I had done was to export the cert that I thought was the CA cert that I created and was listed under the "certificates" tab.
                  Still don't know the how/why this fixed it, but I'd really like to understand this better!  ;D

                  1 Reply Last reply Reply Quote 0
                  • N
                    Nachtfalke
                    last edited by

                    The client certificate and client key is for the clients only.
                    The server certificate and key is for the server only.

                    The CA certificate can be used by anyone but never never give the CA key to someone else or this person is able to create unlimited certificates based on this CA.

                    The validation for the CA certificate is more a thing for the user on the client. If a client connects to a server which CA is called "My littly bunnies" but you want to connect to a server called "My Company" then the user should carfefule and make sure if he really wants to connect to the "wrong" server.

                    On the server site the server checks the client certificate against the CA and with the CA key it is possible to verify if this client certificate is really created from that CA or from another.

                    I am no CA/certificate expert but I hope this could help you a little bit. So to make it short:
                    If you give something to a client then just:

                    • CA.cert (not CA.key)

                    • Client.cert

                    • Client.key

                    These things could come together in a .p12 file or in single files. It could be .crt, .pem, .der which is mostle the same but different formats for different systems.

                    1 Reply Last reply Reply Quote 0
                    • C
                      ck42
                      last edited by

                      Thanks, Nachtfalke!

                      I've got everything working at this point….finally.  ;D

                      Your explanations of different files helps too!  Much appreciated!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.