EAP-TLS authentication without Freeradius running? Or server certs installed?!

  • Hi all,

    In my test environment, I set up a computer based certificate authentication using EAP-TLS, so that any laptops we have use TLS to authenticate for wireless… I have a couple WAPs set up to communicate with pfSense & FreeRadius package. I followed the instructions at https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS successfully.

    The system is working - if the Laptop has the CA.crt and the Client.p12 from pfSense cert manager, then it's able to authenticate through the AP's.

    I then nuked my pfSense install and installed pfSense on another physically different piece of hardware. BEFORE I could even import my saved certificates into the pfSense cert manager, even before I could install FreeRadius again on the new box, I noticed that my laptops were successfully connecting to my wireless!!!!!

    If I unplug my pfSense box, or shut it down, the laptops cannot authenticate (as I would expect). However - why are they able to connect to my new pfSense install when it has non of the certificates yet (including the server cert created in the install steps url mentioned above) and doesn't even have Freeradius installed? ???


  • LAYER 8 Netgate

    More a question about your AP config than pfSense.

  • LAYER 8 Global Moderator

    Yeah sure they just didn't auth with different eap?  or do you disable everything else and only eap-tls..  Maybe your AP are caching the auth?

    But I agree not sure how pfsense would be involved in this issue..  Like you said certs on not installed, what does the log show - is freeradius up and running.. If so maybe you authed with other eap..

  • I was also thinking some sort of caching happening on the AP's. FWIW they are 2 different types, one Cisco (fancy one) and one home end D-link router config'd to be a simple AP.

    I would say it IS indeed caching, HOWEVER, if my pfSense box is offline, it doesn't authenticate. Or if I change the IP the AP's are pointing to for RADIUS to something that isn't the pfSense box, it doesn't authenticate.

    only TLS cert based auth is enabled (on the WLAN config on the laptops)

  • LAYER 8 Global Moderator

    But you stated your not even running freeradius… So how would it possible auth?

  • @johnpoz:

    But you stated your not even running freeradius… So how would it possible auth?

    Exactly! I am super confused  :o

    I tested and re-tested, even used some laptops that had never been part of the test… just added the CA.crt and client.p12 that were created in my old install of pfSense/Freeradius, and BOOM they connected to the wap's.

    I just flattened the pfSense box again, time formatting the drives before re-installing... I'll do some more testing and report back.

  • LAYER 8 Netgate

    If RADIUS isn't running, RADIUS isn't running and the APs are using some other criteria to allow access.

    Ultimately, the APs allow the association..

  • LAYER 8 Global Moderator

    ^ exactly!!  If freeradius isn't up and running there is no way that is authing anything..  I would duplicate this with my setup, but currently not at home to be able to get on the wireless after disable of freerad.

    But as derelict mentions its the AP that actually allow a client on or not.  Freerad just says yeah or nay, but its the AP that takes that information and acts on it.  If freerad is not running, then your AP are pointing to somewhere else or letting them on without getting an answer.. What AP are you using, do you have a controller running?  Do they point to more than 1 freerad?  Or other auth servers?  Guess it could be possible to allow auth if no answer from the auth servers - but that wouldn't be a very secure setup.

    What this points to is a flaw in your original setup if you ask me.. You sure your wifi is just not open and your eap-tls was never actually working..

  • Exactly my concern! That the AP is allowing connectivity without waiting for a response from FreeRadius.

    I have 2 I'm using for testing, a Cisco AP1142 (white square) and a D-Link DIR-615 home router (with routing turned off, just using wireless AP feature)

    The AP's would only allow me on IF pfSense was running (even though Freeradius and certificates on pfSense were not installed)

    This time when I nuked the pfSense install, I also formatted the disk, ensuring a completely clean installation. So far the AP's have not allowed my laptop back on to the network.

Log in to reply