Setting up FreeRADIUS - WiFi (WPA2-Ent), OVPN, 2FA, etc



  • Hi folks,

    I've not touched FreeRadius for a very long time now (not since very early FR1 package), so been giving another try on a new setup.

    I have a WiFi stack (AP's) that functions well, serving up WPA2-Personal, but I want to tie it to FreeRADIUS for a sing Auth backend, introducing 2FA & VPN at a later stage.

    I've followed the guide & found this post that deals with some of the issues.

    For the most part I suspect I've crossed most of my t's, but I think I'm missing something simple & crucial.

    I've tried setting up a W7 client to connect to the WiFi AP & I'm seeing this in the syslog, pointing to a porobable cert issue:

    
    Jun 19 20:21:16 radiusd[23127]: Login incorrect (TLS Alert read:fatal:unknown CA): [host/[REDACTED]-PC/<via auth-type="Accept">] (from client ap-lounge port 0 cli bc-[REDACTED]-c6)
    Jun 19 20:21:16 radiusd[23127]: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
    Jun 19 20:21:16 radiusd[23127]: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
    Jun 19 20:21:16 radiusd[23127]: TLS_accept: failed in SSLv3 read client certificate A
    Jun 19 20:21:16 radiusd[23127]: TLS Alert read:fatal:unknown CA
    Jun 19 20:21:13 radiusd[23127]: Login incorrect (TLS Alert read:fatal:unknown CA): [host/[REDACTED]-PC/<via auth-type="Accept">] (from client ap-lounge port 0 cli bc-[REDACTED]-c6)
    Jun 19 20:21:13 radiusd[23127]: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
    Jun 19 20:21:13 radiusd[23127]: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
    Jun 19 20:21:13 radiusd[23127]: TLS_accept: failed in SSLv3 read client certificate A
    Jun 19 20:21:13 radiusd[23127]: TLS Alert read:fatal:unknown CA</via></via> 
    

    I've generated new System Certs, created corresponding RADIUS users & exported what I think I should, but still…

    Could someone please provide informationon setting this up or point me to a useful resource or guide that deals with this?

    Any help would be greatly appreciated



  • The same problem is in
    https://forum.zentyal.org/index.php?topic=12550.0
    and the solution is to use SecureW2 (http://www.eduroam.ie/userdocs/win7-securew2-ttls.php).

    I have the same problem in windows 7, but on windows 8 it works ok. But i don't want install any additional software to resolve this. My question is if someone know how to configure freeRadius2 on pFsense, for not using TTLS but for protocol which is using default in Windows7 ?



  • @mich32:

    The same problem…

    Thanks for that info!
    I was actually considering offloading the RADIUS function to a Zentyal box myself (something I'm experimenting with myself atm), & having the pfSense doing auth against if for stuff like oVPN, so thanks for the heads-up.
    (using DD-WRT AP's atm & maybe a few Ubiquiti's later on)

    The idea, from my else at least, is to allow them to keep using their W7P clients environemt (& iOS wireless), with a fully POSIX infrastructure back-end, but served in a presentable manner (i.e. just the right eye-candy).

    I'd be interrested re any progress or insights to be shared here.


Log in to reply