Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRadius CA Validation Broken 2.4.5

    Scheduled Pinned Locked Moved pfSense Packages
    26 Posts 3 Posters 4.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      @strangegopher said in FreeRadius CA Validation Broken 2.4.5:

      emailAddress=admin@mycompany.com

      Yeah where did that come from?? is freerad doing that? Pfsense? Just woke up - have not had time to test yet.. Got to change my wireless to point to the new radius server, etc.

      edit: Ok yeah this seems to be something with the freerad package.. .Its pulling info that is not there

      Oct 30 03:10:28 	radiusd 	28048 	tls: Certificate issuer (/CN=newfreerad) does not match specified value (/C=US/ST=Texas/L=Austin/O=My Company Ltd/emailAddress=admin@mycompany.com/CN=newfreerad)! 
      

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • S Offline
        strangegopher
        last edited by

        When I removed freeradius and then CA and all the certs and re-installed it, it auto generated a CA and server cert. Not 100% sure but looks a lot like info in those default certs.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          yeah I thought I had posted the default certs... Is in the config.. Posted above - but that info doesn't match what is in the default cert created either.

          0_1540887486556_eapconf.png

          Looking to see now if you man edit the conf if can be a work around.. The package needs to be adjusted to not check for stuff that is not being used.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Ok.. If you edit the conf directly and restart freerad it works.

            Oct 30 03:24:17 	radiusd 	6180 	(12) Login OK: [testiphone245] (from client uap-pro port 0 cli D0-C5-F3-1F-EB-FF) 192.168.2.2 
            

            0_1540887987099_newconf.png

            Going to need to file a bug report on the freerad package.. Not sure who maintains that - but maybe @jimp can help.

            Thanks for bringing this up - might have gone unnoticed.. Prob not a lot of people setting up eap-tls ;) With new certs.. I prob would fo updated and still be using my certs and ca from before... Which have all that info in there because it use to be required by the gui.. Since the certs good for like 10 years could of gone awhile before changed ;)

            edit: I wonder if that gets loaded in by default on package load.. And just doesn't get overwritten when fields are left blank?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • S Offline
              strangegopher
              last edited by

              I think that the values are hardcoded in. I tried entering email and then removing the email with same results.

              Do you want me to make a bug report or do you want to do it?

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                There might already be a report of this? Have not had time to check yet. Also be nice if @jimp could chime in on his thoughts on this.. Not sure if he is the specific developer for freerad package - but for sure his insight would be very useful.

                But sure go for submitting report - reference this thread for sure.. I also want to take a look at the code for the freerad package.. Might be able to spot where the problem is - that is always helpful in the report. etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                1 Reply Last reply Reply Quote 0
                • jimpJ Offline
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  It isn't hardcoded but it's trying to use fields that may not exist:

                  freeradius.inc:1258:		$vareapconfcheckcertissuer = "check_cert_issuer = " . '"' . "/C={$vareapconfcountry}/ST={$vareapconfstate}/L={$vareapconfcity}/O={$vareapconforganization}/emailAddress={$vareapconfemail}/CN={$vareapconfcommonname}" . '"';
                  

                  Shouldn't be too hard to fix, but does need an issue to track it in Redmine.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    strangegopher
                    last edited by

                    Issue created
                    https://redmine.pfsense.org/issues/9082

                    1 Reply Last reply Reply Quote 0
                    • jimpJ Offline
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      This should be much better now. Give it another try.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      S 1 Reply Last reply Reply Quote 0
                      • S Offline
                        strangegopher @jimp
                        last edited by

                        @jimp thanks for the fix. It works now. 😃

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.