Wireless EAP-TLS and tears
-
I've recently added a Cisco 2504 controller and 2 CAP3602i APs. I was excited when I learned that Pfsense had a FreeRadius module because it would make the authentication piece easy since we're already using pfsense for our firewall and users already have the certs installed from the pfsense cert manager for openvpn. I've followed all the guides available for configuring pfsense freeradius for eap-tls auth. I have a user created that matches the client cert, cert and CA cert are installed on the Windows 7 client, NAS/client configured with shared secret, listening interface configured on port 1812, all other EAP setting configured as documented. I cannot connect with a certificate. In the controller logs I get "-RADIUS_RESPONSE_FAILED: radius_db.c:472 RADIUS server 172.17.1.1:1812 failed to respond to request(ID 38) for STA 30:10:b3:99:a9:15 / user 'xxxx'". I'm kind of at a loss and the pfsense logs are so limited. Any assistance is appreciated.
-
If I do a packet capture on the Wireless interface on pfsense I get the following:
06:49:11.984553 IP 172.17.1.2.32768 > 172.17.1.1.1812: UDP, length 224
06:49:13.984971 IP 172.17.1.2.32768 > 172.17.1.1.1812: UDP, length 224
06:49:15.989160 IP 172.17.1.2.32768 > 172.17.1.1.1812: UDP, length 224
06:49:17.993348 IP 172.17.1.2.32768 > 172.17.1.1.1812: UDP, length 224
06:49:19.997545 IP 172.17.1.2.32768 > 172.17.1.1.1812: UDP, length 224
06:49:22.001740 IP 172.17.1.2.32768 > 172.17.1.1.1812: UDP, length 224Looks like the authentication requests to radius arrive at pfsense with no reply.
-
I was able to find the problem, hopefully this helps someone else. First, I had the Client IP set to the AP IP and it should have been the controller IP. I found this issue by using packetcapture on the pfsense. Second, I needed a firewall rule on the wifi intferface to allow the controller to reach the firewall on port 1812. And lastly, I had a fat finger mistake on typing in the CA cert info on the pfsense EAP tab.