freeRadius / Unifi AP / EAP-TTLS ?

furom

@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:

@furom do you have an iphone or ipad to test with.. Those work without any issue.. Also seems you can export the .p12 right from the cert manager - if using 23.05, not sure about CE versions. You can pick the encryption used, seems ios 16.5 will take the low setting, not the high or legacy setting.

Unfortunately I only have this tablet... But I do export .p12, bit get no option to set anything on it.. Right now battling "ERROR: (29) eap_tls: ERROR: (TLS) Alert read:fatal:certificate unknown", not sure why I get that, but will keep trying. I set CN to my username, and Altenative to FQDN, but guess that made it barf... Will try to read more what it expect

furom

@furom Ugh. I have to take a break for tonight... When I do what I find most logical, and selects the CA, it hides the user cert, so something is seriously not right. Will have another go tomorrow - it will work, it has before... :) Till then, have a good one!

johnpoz

@furom well got mine connected finally.. stupid case sensitive.. I setup a new cert for it using tablet.home.arpa, and had Tablet.home.arpa vs tablet.home.arpa

Now that everything exactly machines my tablet is connected..

Just use the cert manager to export the p12 using the high setting..

May 19 14:06:56 	radiusd 	84994 	(15) Login OK: [tablet.home.arpa/<via Auth-Type = eap>] (from client uap-pro port 0 cli 9A-48-F6-57-CE-BB) 192.168.2.2 Auth-Type: eap 

furom

@johnpoz Nice job! I'm still not that lucky. I set bothe CN and Alt Name to FQDN, then export;
But for unknown reason my stupid tablet wants a password I don't know when installing the cert... I thought that was what I was setting in "Export Password", but isn't accepted. New try... Glad you succeeded after all the hassle!
Will try adding one with openssl this time

johnpoz

@furom your lower version of android might not like high, try the low or legacy option.

You said your on 7 right - man that is pretty old, I thought my tablet was behind with 12.. heheh

btw: the security on getting this cert from your cert manager to your client should be good anyway - not like this is leaving your network, etc. make sure you use a dumb password that is impossible to mess up, its only need to install the certs on your tablet - ie just used "test"..

furom

@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:

@furom your lower version of android might not like high, try the low or legacy option.

You said your on 7 right - man that is pretty old, I thought my tablet was behind with 12.. heheh

btw: the security on getting this cert from your cert manager to your client should be good anyway - not like this is leaving your network, etc. make sure you use a dumb password that is impossible to mess up, its only need to install the certs on your tablet - ie just used "test"..

Yeah, I have thought of getting a new one but as this works (kind of), it feels dumb to do, but may have to soon. "The computer race" is something I have never tried to win, it is not possible with new models every 15 minutes...
Made a new try, this time adding pw with openssl, and now it installs, but still "certificate unknown"... So I probably mess up the fields when creating it still...
I did

• ed25519
• Common Name: tablet.domain.local
• Cert Type: User Certificate
• Alt Names: tablet.domain.local

which should be the minimum required, right?

Just struck me, the CA maybe is warped... did I forget something with that maybe, will figure...

furom

@furom Something is very wrong with my tablet... It forgets the certs I install... Sometimes I can't see what I just installed... So perhaps an issue with the tablet itself more than the certs... Add to that, the strange firmware that just appeared for it too :/
It is old, but did work before, so should again. I will reinstall Android on it and see if that may help. If not, it may be time to get a new one

or... could it be it can't handle ed25519 certs... hm. will try rsa once more...

furom

@furom Unreal... You have been most helpful John, and still this fails to authenticate. I will put this to rest for now, it is not that important. Should be more fun than anything. If I ever manage to make it work again I will document every part down to the letter (thought I had that but no), but that is for a rainy day I suppose.

johnpoz

@furom do you not have something else to test with, iphone, ipad, windows machine?

furom

@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:

@furom do you not have something else to test with, iphone, ipad, windows machine?

I may have an old windows laptop still around, it's should be Win10 I think, will see if I can find it, but now when I think of it, a VM with Ubuntu should do just as good, or would Windows have any advantages here?

johnpoz

@furom A vm that has access to your wireless should be able to work as well.

Don't you have phone - that is running newer version of android maybe?

furom

@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:

@furom A vm that has access to your wireless should be able to work as well.

Well, I was thinking of wired 802.1X, that would still test the certs, right? But true, I've never really heard of a true wireless VM, probably not the easiest route...

Don't you have phone - that is running newer version of android maybe?

That I can configure, no

I'm still uncertain if I'm actually creating the certs to contain the correct stuff or not. I have read too much, tried way too many different configs. There aren't that many fields to fill, but plenty to create mistakes with stil.

I have the devices ("tablet")/("windows"), a domain ("domain.local") and a user ("raduser").

1. Common Name (CN): tablet.domain.local
2. Country Code: <code>
3. Alternative Names: tablet.domain.local

Would this seem to be correct?

Then in the connecting end, on the device;

• ca cert
• client cert
• domain: domain.local
• identity: unsure of this one, think it should be 'tablet.domain.local'?

johnpoz

@furom yes you have to have identity set and it has to exactly match your freeraduser.

furom

@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:

@furom yes you have to have identity set and it has to exactly match your freebsd user.

Thanks. I thought I'd tried that already, but will do it again. It may of course well be something else blocking, but at least I then know the certs are correct, that's one down... :) I'll install it and test connecting with windows. Hoping for some good luck :)

johnpoz

@furom yeah some little mistake can cause it not to work, ie had Tablet.home.arpa as user and was putting in tablet.home.arpa as my identity ;)

It really shouldn't have to be case sensitive.. So that was really odd, but as soon as I made the case match it worked.

furom

@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:

@furom yeah some little mistake can cause it not to work, ie had Tablet.home.arpa as user and was putting in tablet.home.arpa as my identity ;)

It really shouldn't have to be case sensitive.. So that was really odd, but as soon as I made the case match it worked.

OMG... I just may have got it I think. Not tried it yet, but from your picture... The "user" I never got what it was used for... It's actually the devices.... the missing link I hope. :)

furom

@furom Never been as close... Radius auth now passes,

but my stupid tablet now refuse the IP I want to serve it, so I have more digging to do, but this feels a lot better, thanks!

These are the rules for the wifi;

I don't see anything blocked, which makes me think this is on the Android side...

johnpoz

@furom why would it not take the IP it gets from dhcp? Why are you hiding it? Are you trying to hand it something that is not rfc1918? 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 ?

What do you see in the dhcp log?

furom

@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:

@furom why would it not take the IP it gets from dhcp? Why are you hiding it? Are you trying to hand it something that is not rfc1918? 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 ?

What do you see in the dhcp log?

On pfSense, the /var/log/dhcpd.log shows no trace at all from having even tried giving out an IP... :/ Other clients, but nothing for the wifi net... I'm checking the Unifi part as well, but that I have notes from the old setup, so less insecure of those...

johnpoz

@furom if your not seeing anything come in for dhcp.. Then that would point to something wrong with your wifi setup.. Its not tagging the ssid vlan correctly, or your switch setup isn't right for the vlan..

Wifi just puts the traffic on the L2 - pfsense would see it.. Your not running maybe dhcp snooping/guarding on your unifi?