Freeradius: fresh install, reimport certificates, clients can't connect anymore



  • G'evening  :-[

    [list]

    • OpenVPN crap (my other thread).
    • Did a complete fresh install of pfSense, with the USB stick. (Wasted 2 days, 2 full days, all together, of making notes of previous settings, taking screenshots, analyzing, and reinstalling pfSense and packages, and customizing settings everywhere).
    • Didn't import 'backups', because then you are likely to import the crap again.
    • Customized FreeRadius by hand (EAP-TLS) for wireless, carefully typing in the data from the screenshots I made just before the reinstall (when Radius was working), and triple checking.
    • Imported the certificates (well, 'importing' = copy/paste certificate values into the appropriate boxes in the Certificate Manager, it's not as if there is a 'import certificate' box where you can browse and select the previously exported certificates).
    • Clients can't connect anymore: 'there is a problem connecting, please check settings'.
    • The DHCP server doesn't even see DHCP requests from the wireless (yes, I a-zillion checked firewall rules and settings with the screenshots of the working system prior to the reinstall).
    • I have around 30 clients on the LAN. Freshly creating certificates and installing these on the Android/Apple stuff is a disaster.
    • Is there anything else I can do to make this work?

    Thank you in advance very, very, very much for any help  ;D

    ( :-* )



  • Hi,

    have you verified that all the settings are exactly the same?  frankly there isn't enough information in your post to make any troubleshooting decision into what the issue might be.  frankly from the sounds of this your EAP-TLS Radius config is somehow incorrect, either this or the Access point Wireless network interface simply needs to be restarted (turn off the OPT interface for the wireless, turn it back on).

    and yes, the Wireless interface wouldn't see any DHCP requests from the Wireless interface because that kind of traffic is not allowed until EAPOL has completed any authentication parameters in order to allow the traffic to flow over the controlled connection.

    if after doing the above still doesn't work I would highly advise to turn on Radius Logging (both successful and failed attempts) under the Freeradius configuration pages within the web interface, this will give you very valuable information within regards to any error messages that are found with the configuration.  Freeradius is a fickle service at times, just read the error message, check to see if the service is running, restart the service and check the logs again.

    I bet you that this turns out to be a Freeradius error given that Freeradius has A LOT of configuration possibilities and variables that can go awry.

    Good luck.



  • Thanks for trying to help me  ;D

    Just wasted 3 hours of my life trying to get it to work. Was on the brink of a nervous break down, as reinstalling gives huge pain in the butt when having to export certificates for use in Windows and Android, let alone, once you have these certificates exported, putting them on each gadget and laptop, and customizing these again.

    Logging was on but showed nothing at all. Radius test user (wiki) on 127.0.0.1 worked. Rebooted switches, WAP's, pfSense: nothing. Reinstalled FreeRadius: nothing.

    Then I discovered the obvious bug:

    This was the shared secret:

    ^4540lkkgkf_8(`!$,.;/"
    

    Replaced that with:

    1234
    

    And everything worked again…

    The weird thing is: that first shared secret was exactly the same as the one it was before I reinstalled pfSense; I meticulously made sure not to make any errors there.

    Thanks again for your kind help  ;D


Log in to reply