freeRadius / Unifi AP / EAP-TTLS ?
-
@furom guess its time I update all my stuff as well - create like certname that matches my iphone13.. And get my wifes new phone and new ipad - and my cheap android tablet all using eap-tls.
-
@johnpoz Got stuck on some extraction password for the p12 cert, but found an old post from you (2017) where you said to add a password wi openssl, so will try that now...
link textAlso got a firmware update for the well over 10 yr old tablet... I will verify with the vendor before applying that at least... Seems more than unlikely they should update so many years after eol... lol
-
@furom ok... I created a new CA for my freerad server cert.. So using new ECDSA for both CA and Cert... Created new user cert from for my phone off new CA.. And all connected without any issues.
Since iphone will not install a new profile without a password.. And something to do with iphone and openssl version 3 I think I had to add the -legacy flag in my command to create the .p12 to load on my phone
openssl pkcs12 -legacy -export -certfile NewFreeRad-CA.crt -in JohnsIphone.crt -inkey JohnsIphone.key -out johnsiphone.p12
So I download the new CA cert, and my new user cert and key... Joined them up into a p12 with password "test" and imported just fine into my iphone.
-
@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:
@furom ok... I created a new CA for my freerad server cert.. So using new ECDSA for both CA and Cert... Created new user cert from for my phone off new CA.. And all connected without any issues.
Since iphone will not install a new profile without a password.. And something to do with iphone and openssl version 3 I think I had to add the -legacy flag in my command to create the .p12 to load on my phone
openssl pkcs12 -legacy -export -certfile NewFreeRad-CA.crt -in JohnsIphone.crt -inkey JohnsIphone.key -out johnsiphone.p12
So I download the new CA cert, and my new user cert and key... Joined them up into a p12 with password "test" and imported just fine into my iphone.
Nice, I am about to test, but unfortunately did the RSA, so will redo if working, but at least things are lighting up a bit! Thanks for all your patience!
-
@furom also - keep in mind unlike browsers there isn't any issue with making this stuff good for long time. I set 10 years on my CA and certs ;)
Got my ssid changed to something a bit better than eaptest, and phone connecting to it without any problems. Now just to create certs and my other trusted devices...
-
@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:
@furom also - keep in mind unlike browsers there isn't any issue with making this stuff good for long time. I set 10 years on my CA and certs ;)
Got my ssid changed to something a bit better than eaptest, and phone connecting to it without any problems. Now just to create certs and my other trusted devices...
So true. But something very strange just happened... Network just died and my client were offline. Unifi server died too.. So had to restart and got some weird websocket error, then Unifi didn't load, showed 404 for a while, but then came too... :/ Seems to work now, but don't like when it just locks up for no apparent reason...
-
@furom Weird. Shouldn't I get a password prompt too? I installed CA and the tablet cert I made... says password may be wrong so still something funny here... But at least it responds, so there is hope :)
-
@furom said in freeRadius / Unifi AP / EAP-TTLS ?:
Shouldn't I get a password prompt too?
For why? But yeah you can add that if you want.. I think its completely pointless in such an auth setup... Your sending a cert signed by your own CA.. And this cert is only installed on your trusted devices.. Why would you want to have to put in a password as well?
How would anyone get these certs? How would they create their own cert that also matches up with a freerad user you created..
-
@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:
@furom said in freeRadius / Unifi AP / EAP-TTLS ?:
Shouldn't I get a password prompt too?
For why? But yeah you can add that if you want.. I think its completely pointless in such an auth setup... Your sending a cert signed by your own CA.. And this cert is only installed on your trusted devices.. Why would you want to have to put in a password as well?
How would anyone get these certs? How would they create their own cert that also matches up with a freerad user you created..
I don't want it surely, but as it says "Password may be incorrect"...? I'm googling this not, or trying... Found out my nice ISP just revoked my old IP and gave me a new one... Strange...
-
@furom where is it saying that - and what are you putting the certs on exactly.. I do have a android tablet, just haven't gotten around to connecting it to this eap-tls network yet..
-
@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:
@furom where is it saying that - and what are you putting the certs on exactly.. I do have a android tablet, just haven't gotten around to connecting it to this eap-tls network yet..
Correct, it is an old Android tablet running 7.1.1
I am using the "Install certificates" in "Advanced WLAN" menu. I then see them fine when connecting, or hm, trying -
@furom Found the issue. I made a mistake when creating the cert... So will redo it with ed25519 and hope it will go just a little better :)
-
@furom my android which is a lenovo P11 plus running Android 12 is bitching about connecting. It forces uses of a domain, I didn't setup a domain for these certs.. Guess going to have to redo for the android... maybe I will play with this this weekend.. But I only ever use this tablet for watching movies on the train to and from work.. So not going to put in much effort getting it to use eap-tls ;) I normally just connect it to my guest wifi anyway.
-
@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:
@furom my android which is a lenovo P11 plus running Android 12 is bitching about connecting. It forces uses of a domain, I didn't setup a domain for these certs.. Guess going to have to redo for the android... maybe I will play with this this weekend.. But I only ever use this tablet for watching movies on the train to and from work.. So not going to put in much effort getting it to use eap-tls ;) I normally just connect it to my guest wifi anyway.
Got it. I read somewhere that for Android 11/12 you also need the chain/intermediate cert now. I'm far from havit that issue, perhaps I should upgrade, but my use-case is probably worse than yours...which sounded reasonable :) I'll take a break as well. If I do get it to work I'll post what I did. I found the
radius.log
in /var/log/ useful, it spits out some info at least -
@furom do you have an iphone or ipad to test with.. Those work without any issue.. Also seems you can export the .p12 right from the cert manager - if using 23.01, or 23.05, not sure about CE versions. You can pick the encryption used, seems ios 16.5 will take the low setting, not the high or legacy setting.
-
@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:
@furom do you have an iphone or ipad to test with.. Those work without any issue.. Also seems you can export the .p12 right from the cert manager - if using 23.05, not sure about CE versions. You can pick the encryption used, seems ios 16.5 will take the low setting, not the high or legacy setting.
Unfortunately I only have this tablet... But I do export .p12, bit get no option to set anything on it.. Right now battling "ERROR: (29) eap_tls: ERROR: (TLS) Alert read:fatal:certificate unknown", not sure why I get that, but will keep trying. I set CN to my username, and Altenative to FQDN, but guess that made it barf... Will try to read more what it expect
-
@furom Ugh. I have to take a break for tonight... When I do what I find most logical, and selects the CA, it hides the user cert, so something is seriously not right. Will have another go tomorrow - it will work, it has before... :) Till then, have a good one!
-
@furom well got mine connected finally.. stupid case sensitive.. I setup a new cert for it using tablet.home.arpa, and had Tablet.home.arpa vs tablet.home.arpa
Now that everything exactly machines my tablet is connected..
Just use the cert manager to export the p12 using the high setting..
May 19 14:06:56 radiusd 84994 (15) Login OK: [tablet.home.arpa/<via Auth-Type = eap>] (from client uap-pro port 0 cli 9A-48-F6-57-CE-BB) 192.168.2.2 Auth-Type: eap
-
@johnpoz Nice job! I'm still not that lucky. I set bothe CN and Alt Name to FQDN, then export;
But for unknown reason my stupid tablet wants a password I don't know when installing the cert... I thought that was what I was setting in "Export Password", but isn't accepted. New try... Glad you succeeded after all the hassle!
Will try adding one with openssl this time -
@furom your lower version of android might not like high, try the low or legacy option.
You said your on 7 right - man that is pretty old, I thought my tablet was behind with 12.. heheh
btw: the security on getting this cert from your cert manager to your client should be good anyway - not like this is leaving your network, etc. make sure you use a dumb password that is impossible to mess up, its only need to install the certs on your tablet - ie just used "test"..