Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FreeRadius2 802.1x authentication setting

    pfSense Packages
    2
    4
    762
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      esseebee last edited by

      Hello,

      I'm running v2.1.5, setting up WPA2-Enterprise using FreeRadius2.  During initial testing, all appears to be working swimmingly.  I've run across one user who seems to be able to authenticate with only his username/password and not receiving the certificate from Pfsense.  I'm using the native CA, not FreeRadius.  Is there a setting somewhere that allows users to authenticate with FreeRadius without receiving the cert?

      Cheers

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        If you just want to use eap-tls, why are you even creating user accounts they could use?

        Just create the cert in the CA.  You don't need to create any users in freeradius for them to auth with.  Are you authing to ldap or something?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • E
          esseebee last edited by

          I appreciate your response.  I looked into that, but I'm having issues with the Pfsense native CA allowing me to export the p12 file.  I try and import it into my Mac and it requires a password.  After looking into the forums and Google, it appears this is a known issue.  The workaround of downloading all of the files individually did end up allowing me to import the CA, certs and key.  But, it still wouldn't authenticate.  I'm going to stick with PEAP w/ MSCHAPv2, although I'd prefer just EAP-TLS.  Don't have the time to invest in it, though.  Cheers.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            So yeah ran into the same issue.. Pretty simple work around just use openssl to put a password on it.

            So your saying you can import the .key file without a password?  I will have to try that - but I agree its a bit of a hassle.

            Did you import the server cert?  I my iphone 5s, my wifes 5c and my older ipad all using eap-tls to auth with out any issues.

            Sep 13 07:56:26 radiusd[57374]: Login OK: [j-phone] (from client uapac port 0 cli AC-FD-EC-62-34-97) j-phone
            Sep 13 07:31:05 radiusd[57374]: Login OK: [k-iphone] (from client uap-ac-lr port 0 cli 80-00-6E-9D-EA-DE) k-iphone

            Here are too recent auths from the log for my phone and my wifes phone.

            What I ended up installing was the p12 you can export after putting a password on it and the actual server cert and eap-tls is working great..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • First post
              Last post