Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Confused: RADIUS server certs

    IPsec
    1
    1
    399
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SpaceBass
      last edited by

      Howdy folks!

      I'm going on like three weeks of banging my head against a non-functional road warrior config. I think it might be a certificate issue and could use some help untangling this mess….

      my radius server is FreeRADIUS running on my MacOS server. It's FreeRADIUS v2
      my radius server uses a commercial TLS certificate from a commercial provider.

      This works fine for wifi.

      on pfSense, I have my mobile P1 certificates configured as:
      CA: pfsense-CA
      sever cert: fqdn.mydomain.com with the appropriate SAN and IP and DNS attributes per the wiki
      client cert: also created per the wiki.

      I can see the auth request hit my RADIUS server and the server returns successfully. But the error in PF is that there's no MSK in the auth. I suspect this is because pfSense or my client isn't able to decipher what's coming back from my RADIUS server....could that be right? It's coming back encrypted using the commercial TLS cert but for some reason that cert isn't trusted?

      I tried adding thatcher and key and CA to both PF and my client. No dice there....

      I'm totally confused and could use some brain help here - anyone have a backend EAP server working successfully?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.