FreeRadius3 EAP-TLS error
I've taken the plunge into radius authentication for my network. I was able to get it working with pfSense 2.4.3, pfSense package FreeRadius3 0.15.5, Unifi uap-ac-lite fw 188.8.131.5264 connected to controller version 5.7.20 using VLAN trunking for all four SSIDs, and an android 6.0 device. The radius authentication mechanism was EAP-PEAP using MSCHAPv2.
However, after following the pfSense guide to configure EAP-TLS (https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS) I get the following errors in the pfSense general log while trying to connect.
tls: TLS_accept: Error in error
Login incorrect (Failed retrieving values required to evaluate condition): [testuser] (from client wap1 port 0 cli C0-EE-FB-XX-XX-XX)
Any thoughts? Does anyone have a working configuration with this hardware they'd like to share?
Thanks in advance!
So right after I posted this someone updated a thread related to Freeradius2 on pfSense. Within the first couple posts I was able to find hints about the certificate revocation list being the culprit. I set it to none in my configuration and EAP-TLS works now.
the error you describe is generic. It could mean, that the particular user doesnt exist, ot attributes for that user dont match, or even an issue with the certificate matching parameters in the eap portion of the config. there should be another error along with the error you describe, that lists a code number. Try to replicate the issue, then check the log again.
this works, but revocation will not work. so if you revoke a cert, the authentication will still pass. If you want to be able to revoke certs, and have free radius honor that, then follow what worked for me:
I have found the workaround solutions posted in the forums, for free radius and a functioning CRL, do not quite work.
The workarounds listed:
semi work. The problem is, the manual changes are wiped away easily. i.e. a change in the radius config (i.e. a user attribute), will cause the radius.conf and the cert files to be overwritten. A little background on my system:
-Free radius v3
-pfsense v2.42 p1
Now, i think i may have found a workaround, that is "sticky". It follows the same method as listed in this thread (https://sites.google.com/site/techbobbins/home/articles/freeradius-and-crls), but instead of appending the CA/CRL in the same file via the CAT command, append the CRL via the pfsense GUI to the CA cert body. This way, every time you reload freeradius, it reads form the PFSENSE Cert files, and now everything works.
Also, i found if you configure sub CA's, free radius has issues with that. So, a work around for that, is to:
-create your root CA
-create sub CA
-create crl for sub ca
-then, "import" a CA. the cert body will be the root->sub->crl
-create free radius server cert
-in free radius, use the "import" CA, and the free radius server cert
..i found if you dont do this, free radius will error with error 19, self signed in the chain. Understand the reason to use sub certs is for security, as i understand root CA's are designed to create sub CA's, not user or server certs. This way, if sub CA is copromised, you dont have to recreate cert chain, just that particular sub ca.
I dont claim to be a PKI expert, but the above worked for me.
–-note, for revocation to work, you will have to re-paste the CRL info back into the "import" cert, and restart radius. note, that restarting radius via the GUI, i.e services click the restart gear, does not work. I found i needed to make a change to free radius, i.e change a setting in the eap config, save it, then set it back, svae it. this seems to trigger a true radius restart.
hope this helps