FreeRadius2 802.1x authentication setting

  • Hello,

    I'm running v2.1.5, setting up WPA2-Enterprise using FreeRadius2.  During initial testing, all appears to be working swimmingly.  I've run across one user who seems to be able to authenticate with only his username/password and not receiving the certificate from Pfsense.  I'm using the native CA, not FreeRadius.  Is there a setting somewhere that allows users to authenticate with FreeRadius without receiving the cert?


  • Rebel Alliance Global Moderator

    If you just want to use eap-tls, why are you even creating user accounts they could use?

    Just create the cert in the CA.  You don't need to create any users in freeradius for them to auth with.  Are you authing to ldap or something?

  • I appreciate your response.  I looked into that, but I'm having issues with the Pfsense native CA allowing me to export the p12 file.  I try and import it into my Mac and it requires a password.  After looking into the forums and Google, it appears this is a known issue.  The workaround of downloading all of the files individually did end up allowing me to import the CA, certs and key.  But, it still wouldn't authenticate.  I'm going to stick with PEAP w/ MSCHAPv2, although I'd prefer just EAP-TLS.  Don't have the time to invest in it, though.  Cheers.

  • Rebel Alliance Global Moderator

    So yeah ran into the same issue.. Pretty simple work around just use openssl to put a password on it.

    So your saying you can import the .key file without a password?  I will have to try that - but I agree its a bit of a hassle.

    Did you import the server cert?  I my iphone 5s, my wifes 5c and my older ipad all using eap-tls to auth with out any issues.

    Sep 13 07:56:26 radiusd[57374]: Login OK: [j-phone] (from client uapac port 0 cli AC-FD-EC-62-34-97) j-phone
    Sep 13 07:31:05 radiusd[57374]: Login OK: [k-iphone] (from client uap-ac-lr port 0 cli 80-00-6E-9D-EA-DE) k-iphone

    Here are too recent auths from the log for my phone and my wifes phone.

    What I ended up installing was the p12 you can export after putting a password on it and the actual server cert and eap-tls is working great..