SOLVED FreeRadius: no more EAP-TLS 'suddenly'
-
G'day,
This is a messy one, and I have no clue how to fix it.
0. pfSense 2.3.2-p1, freeRadius2 1.7.4.
1. I had it running on my pfSenseNR1, with EAP-TLS certificates for smartphones, connecting via Ubiquity WAP's. This all worked for years.
2. I had to switch my pfSenseNR1 for my pfSenseNR2. This is a similar installation, same software versions, same config. But, to be sure, I created a full config backup on NR1 and restored that on NR2.
3. Now, the smartphones refuse to connect with EAP-TLS: in my Android6 they say 'connecting' and then nothing. On top of that, there is nothing shown in the logs (status: system logs. That is, it shows 'loaded virtual server' and 'ready to process requests', but nothing after that).
4. However, when I use PEAP (username/pwd), they do connect! (And that is shown in status: system logs).
5. Would anybody have any clue? Since with EAP-TLS it doesn't generate any logs, I have no clue to search for where the error might be :-[Thank you for any help,
Bye,
-
I generated new certificates and installed these on the smartphone and tablet, but the problem remains.
And no clue in the logs.
Could this have something to do with the latest freeradius2-package update from a couple of days ago?
-
I still have no clue, no matter what I do, nothing shows up in the system logs at all, so no clue where to look.
It has worked for years, suddenly it doesn't anymore.
-
For future generations: resetting the shared secret solved it.
A mystery why this kind of vital information isn't logged somewhere.
-
Probably because it's secret… ;D :D
-
who says it doesn't log tls? Here is my wifes phone authing via eap-tls.. What variables did you put into log?
-
who says it doesn't log tls? Here is my wifes phone authing via eap-tls.. What variables did you put into log?
I say it doesn't log ;D
WHEN your shared secret is not the same everywhere, so the NAS is not allowed to communicate with Radius, there is NO error in the log whatsoever, and so you have no clue where to look. That is why I ended up in this mess.
-
Not sure about your case of (non)logging, but… https://redmine.pfsense.org/issues/6928
(Certainly not keen on seeing that heap of code anytime soon again.)
