Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    freeRadius and CRL (certification revocation list) not working - bug with spaces and underscores

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 445 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newbie1975
      last edited by

      After setting up freeRadius with EAP-TLS (all certificate-based users), I also wanted to test if revocation of certificate would work and wifi connection would be dropped for that specific end-user device.

      Somehow nothing happened after I put the certificate on the CRL, even after restarting freeRadius and also disable and enable wifi connection on end-user device, this device could still connect to the wifi access point and browse the internet. There goes my whole goal of more granual wifi security per device 😢

      On the forum I see multiple issues with freeRadius and CRLs, some very old bugs, but also newer such as All freeradius eap-tls authentications fail when an SSL revocation list is enabled:
      "On the old system I could enable the CRL without having any logon issues. Although, in that case I even people with revoked certs were still allowed on the network, even after I restarted freeradius as the instructions say, so now I'm having the opposite issue, where nobody can logon as long as any CRL exists."

      And also FreeRADIUS 2 with EAP-TLS:
      "I found the issue. I had a space in my CRL name that was causing the issue. I re-created the CRL without a space and now I can successfully revoke client certs and they no longer have access. Probably should be sent on to pfsense development to throw an error when some silly user tries to create a CRL with a space in the name. ;D ;D ;D"

      My CRL was named something like: freeradius_certication_revocation_list
      Although there are no spaces in the name, only underscores, I tried changing the underscores to hyphens and renamed to: freeradius-certication-revocation-list.

      Now (after restarting freeRadius service) the certificate list, without underscores, was working and end-user device couldn't connect anymore to wifi access point 😃

      Could anybody confirm this issue/bug?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.