Pfsense -> Freeradius -> Access point (WPA2-Enterprise) - > Client



  • Хочу реализовать схему подключения для СВОБОДНОГО  подключения по Wi-Fi, через точки доступа с шифрованием WPA2-Enterprise (802.11x). На pfsense настроен freeradius, на точках доступа шифрование с WPA2-Enterprise. Клиенты должны выбрать wi-fi сеть и подключиться по логину и паролю, без установки на их устройства (ноутбуки) предварительно сертификата. Если правильно понимаю то такой технологии без установки предварительно сертификата можно работать по протоколам EAP-PEAP, EAP-TTLS и EAP-MSCHAP. Устройства на Android успешно проходят авторизацию и выходят в интернет. На Apple не тестировал. На Windows (в моем случае Windows7) при попытки авторизоваться при подключении в логах такая ошибка:

    • radiusd[71184]: TLS Alert write:fatal:unknown CA

    – radiusd[71184]: TLS_accept: error in SSLv3 read client certificate A

    – radiusd[71184]: SSL: SSL_read failed in a system call (-1), TLS session fails.

    Использовал вроде бы все варианты решение так и не нашел

    Все это необходимо для того чтобы была авторизация на уровни Wi-FI, с последующим доступом в сеть.



  • http://serverfault.com/questions/265964/cannot-log-into-my-radius-protected-wireless-connection-heres-the-log-contents

    1 Answer

    The server is failing on the client certificate portion of authentication. Here's a how-to (http://freeradius.org/doc/EAPTLS.pdf) from FreeRADIUS on how to set up EAP-TLS, or alternatively you can set it to not require a client cert by setting it for a different EAP mechanism in eap.conf.share

    Shane Madden

    Thank you! :) This seems to be what will solve my issue. –  Only Bolivian Here May 4 '11 at 0:31

    Ещё :

    https://forum.pfsense.org/index.php?topic=78684.0

    https://forum.pfsense.org/index.php?topic=60754.0

    https://sites.google.com/site/techbobbins/home/articles/freeradius-and-crls

    http://bruteforcer.ru/ustanovka-i-nastrojka-freeradius-server-v-pfsense/

    http://www.privacywonk.net/2010/10/security-how-to-wpa2-enterprise-on-your-home-network.php

    https://forum.pfsense.org/index.php?topic=78684.0



  • Спасибо, но пока не получается.



  • Dear All,

    as it turns out, the CRL does not work, when using the pfsense cert manager in freeradius. For further details, please see https://forum.pfsense.org/index.php?topic=43675.msg432323#msg432323.

    Regards,

    Michael Schefczyk

    Получается, что только с импортированием на Win будет работать. И в таком случае :

    https://forum.pfsense.org/index.php?topic=60754.0 :

    1.

    You have to create the CA and server cert on pfsense "Cert Manager" or you import it from somewhere else.
    After that go to:
    services –> freeradius --> EAP
    Select "CHose pfsense Cert Manager"
    empty the privat key password - you do not need any
    select your CA
    select your SERVER cert
    click save

    Sometimes it could help to click a second time "Save".

    On Windows you must make sure that the client has enabled to verify the CA. This is not always the case and can be disabled.
    Take a look here. It shows you the "validate server certificate"
    http://i.technet.microsoft.com/dynimg/IC120658.gif

    2.

    You can try to go to

    /usr/local/etc/raddb/certs/
    and delete the certificates there.

    After that go back to the GUI, select your CA and server cert and click save and make sure it places the certificates in the path I postet above.
    If it does then it should be ok.

    With the GUI tab "View config" you can check eap.conf if it points to the correct certificates.

    Did you disable the WEAP EAP types ? If you disabled them then please try to enable them and try again.

    From googleing:
    Are you using an intermediate certificate ?

    3.

    Found the culprit.
    Apparently, I needed to have the User 'Password Encryption' set to Cleartext, instead of MD5.

    4.

    Fixed it.
    Apparently I have a lot to learn about certs.
    I needed to export the CA cert that is listed under the "CAs" tab in the Cert Manager.
    What I had done was to export the cert that I thought was the CA cert that I created and was listed under the "certificates" tab.
    Still don't know the how/why this fixed it, but I'd really like to understand this better!

    У человека в конце концов получилось.


Log in to reply