Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FreeRadius2 802.1x authentication setting

    pfSense Packages
    2
    4
    745
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      esseebee last edited by

      Hello,

      I'm running v2.1.5, setting up WPA2-Enterprise using FreeRadius2.  During initial testing, all appears to be working swimmingly.  I've run across one user who seems to be able to authenticate with only his username/password and not receiving the certificate from Pfsense.  I'm using the native CA, not FreeRadius.  Is there a setting somewhere that allows users to authenticate with FreeRadius without receiving the cert?

      Cheers

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        If you just want to use eap-tls, why are you even creating user accounts they could use?

        Just create the cert in the CA.  You don't need to create any users in freeradius for them to auth with.  Are you authing to ldap or something?

        1 Reply Last reply Reply Quote 0
        • E
          esseebee last edited by

          I appreciate your response.  I looked into that, but I'm having issues with the Pfsense native CA allowing me to export the p12 file.  I try and import it into my Mac and it requires a password.  After looking into the forums and Google, it appears this is a known issue.  The workaround of downloading all of the files individually did end up allowing me to import the CA, certs and key.  But, it still wouldn't authenticate.  I'm going to stick with PEAP w/ MSCHAPv2, although I'd prefer just EAP-TLS.  Don't have the time to invest in it, though.  Cheers.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            So yeah ran into the same issue.. Pretty simple work around just use openssl to put a password on it.

            So your saying you can import the .key file without a password?  I will have to try that - but I agree its a bit of a hassle.

            Did you import the server cert?  I my iphone 5s, my wifes 5c and my older ipad all using eap-tls to auth with out any issues.

            Sep 13 07:56:26 radiusd[57374]: Login OK: [j-phone] (from client uapac port 0 cli AC-FD-EC-62-34-97) j-phone
            Sep 13 07:31:05 radiusd[57374]: Login OK: [k-iphone] (from client uap-ac-lr port 0 cli 80-00-6E-9D-EA-DE) k-iphone

            Here are too recent auths from the log for my phone and my wifes phone.

            What I ended up installing was the p12 you can export after putting a password on it and the actual server cert and eap-tls is working great..

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy