Confused: RADIUS server certs



  • Howdy folks!

    I'm going on like three weeks of banging my head against a non-functional road warrior config. I think it might be a certificate issue and could use some help untangling this mess….

    my radius server is FreeRADIUS running on my MacOS server. It's FreeRADIUS v2
    my radius server uses a commercial TLS certificate from a commercial provider.

    This works fine for wifi.

    on pfSense, I have my mobile P1 certificates configured as:
    CA: pfsense-CA
    sever cert: fqdn.mydomain.com with the appropriate SAN and IP and DNS attributes per the wiki
    client cert: also created per the wiki.

    I can see the auth request hit my RADIUS server and the server returns successfully. But the error in PF is that there's no MSK in the auth. I suspect this is because pfSense or my client isn't able to decipher what's coming back from my RADIUS server....could that be right? It's coming back encrypted using the commercial TLS cert but for some reason that cert isn't trusted?

    I tried adding thatcher and key and CA to both PF and my client. No dice there....

    I'm totally confused and could use some brain help here - anyone have a backend EAP server working successfully?