unknown CA when trying to authenticate

classic Classic list List threaded Threaded
18 messages Options
| Threaded
Open this post in threaded view
|

unknown CA when trying to authenticate

Tyler Montney
Version 3.0.16, running on Ubuntu 18.04.

While running freeradius -X and trying to connect a user (Ubiquiti
controller), I see "eap_peap: ERROR: TLS Alert read:fatal:unknown CA".

/etc/freeradius/3.0/mods-enabled/eap  has its tls-config tls-common section
like

private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem
certificate_file = /etc/freeradius/3.0/certs/letsencrypt/cert.pem
ca_file = /etc/ssl/certs/ca-certificates.crt

My CA was copied to /usr/local/share/ca-certificates/ and ran
dpkg-reconfigure ca-certificates. I then checked ca-certificates.crt and
confirmed my CA was appended to the bottom.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Alan DeKok-2
On Feb 21, 2021, at 10:57 PM, Tyler Montney <[hidden email]> wrote:
>
> Version 3.0.16, running on Ubuntu 18.04.
>
> While running freeradius -X and trying to connect a user (Ubiquiti
> controller), I see "eap_peap: ERROR: TLS Alert read:fatal:unknown CA".

  What is the user system running?  How does it authenticate?

> /etc/freeradius/3.0/mods-enabled/eap  has its tls-config tls-common section
> like
>
> private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem
> certificate_file = /etc/freeradius/3.0/certs/letsencrypt/cert.pem
> ca_file = /etc/ssl/certs/ca-certificates.crt

  That's good.

> My CA was copied to /usr/local/share/ca-certificates/ and ran
> dpkg-reconfigure ca-certificates. I then checked ca-certificates.crt and
> confirmed my CA was appended to the bottom.

  That's not.  You haven't described what you're using to authenticate.  Where does it get the certificates from?

  The certificate store you edited is used for web authentication, not WiFi.

  You need to read the documentation for your system to see how to get WiFi authentication working.  This isn't a FreeRADIUS issue.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Tyler Montney
" What is the user system running?  How does it authenticate?"

Same OS as FreeRadius, running the Unifi Controller. The controller
authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
database.

"Where does it get the certificates from?"

An internal "LetsEncrypt", step-ca.

"The certificate store you edited is used for web authentication, not WiFi."

Yes, but the EAP module is pointing to that store. I don't see how that's
related to web authentication. If I set the LDAP module's "require_cert" to
'demand' (rather than 'allow'), freeradius will refuse to start with a
similar error. It fails to connect over LDAPS.


On Mon, Feb 22, 2021 at 6:06 AM Alan DeKok <[hidden email]>
wrote:

> On Feb 21, 2021, at 10:57 PM, Tyler Montney <[hidden email]>
> wrote:
> >
> > Version 3.0.16, running on Ubuntu 18.04.
> >
> > While running freeradius -X and trying to connect a user (Ubiquiti
> > controller), I see "eap_peap: ERROR: TLS Alert read:fatal:unknown CA".
>
>   What is the user system running?  How does it authenticate?
>
> > /etc/freeradius/3.0/mods-enabled/eap  has its tls-config tls-common
> section
> > like
> >
> > private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem
> > certificate_file = /etc/freeradius/3.0/certs/letsencrypt/cert.pem
> > ca_file = /etc/ssl/certs/ca-certificates.crt
>
>   That's good.
>
> > My CA was copied to /usr/local/share/ca-certificates/ and ran
> > dpkg-reconfigure ca-certificates. I then checked ca-certificates.crt and
> > confirmed my CA was appended to the bottom.
>
>   That's not.  You haven't described what you're using to authenticate.
> Where does it get the certificates from?
>
>   The certificate store you edited is used for web authentication, not
> WiFi.
>
>   You need to read the documentation for your system to see how to get
> WiFi authentication working.  This isn't a FreeRADIUS issue.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Alan DeKok-2
On Feb 22, 2021, at 10:46 AM, Tyler Montney <[hidden email]> wrote:
>
> " What is the user system running?  How does it authenticate?"
>
> Same OS as FreeRadius, running the Unifi Controller. The controller
> authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
> database.

  That really isn't answering my question.

  Do the users have access to the shell on the Unifi controller?  Or are the users trying to gain network access via WiFi?

  If it's the second one, then again... what is the user system running?  How did you configure it?  

> "Where does it get the certificates from?"
>
> An internal "LetsEncrypt", step-ca.

  That is also not answering my question.  You configured the end-user system to use WiFi.  As part of that process, you either did (or didn't) configure names, EAP type, certificates, etc.

  So... did you do that?  If so, what did you do?

> "The certificate store you edited is used for web authentication, not WiFi."
>
> Yes, but the EAP module is pointing to that store. I don't see how that's
> related to web authentication.

  In most systems, the default certificate stores are different for Web and for EAP.  You do NOT want to use the same certificate store for both.

> If I set the LDAP module's "require_cert" to
> 'demand' (rather than 'allow'), freeradius will refuse to start with a
> similar error. It fails to connect over LDAPS.

  At this point, it's not at all clear what you're doing, or why.

  You aren't configuring FreeRADIUS using the normal process of putting the certs into raddb/certs.  You aren't following any of the available "how to" guides for configuring FreeRADIUS, or EAP, or WiFi.

  There is existing documentation which tells you how to configure WiFi.  Please follow it.

  And please also understand that *end user* systems are different than the Unifi controller, where you configure FreeRADIUS.  Those end-user systems also need to be configured correctly for EAP / WiFi.  It looks very much like you haven't done that.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Tyler Montney
"That really isn't answering my question. Do the users have access to the
shell on the Unifi controller?  Or are the users trying to gain network
access via WiFi? If it's the second one, then again... what is the user
system running?  How did you configure it?"

For instance, a Windows client trying to connect to a WiFi network. It
tries to connect, is prompted for a username and password, then says "Can't
connect to this network". (Simultaneously, I have "freeradius -X" running,
where I see the CA error.)

"You configured the end-user system to use WiFi."

The only thing I have done on the end user system is import the root CA.

"There is existing documentation which tells you how to configure WiFi."

Please verify which documentation you're referring to, so that I know we're
on the same page.

On Mon, Feb 22, 2021 at 10:05 AM Alan DeKok <[hidden email]>
wrote:

> On Feb 22, 2021, at 10:46 AM, Tyler Montney <[hidden email]>
> wrote:
> >
> > " What is the user system running?  How does it authenticate?"
> >
> > Same OS as FreeRadius, running the Unifi Controller. The controller
> > authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
> > database.
>
>   That really isn't answering my question.
>
>   Do the users have access to the shell on the Unifi controller?  Or are
> the users trying to gain network access via WiFi?
>
>   If it's the second one, then again... what is the user system running?
> How did you configure it?
>
> > "Where does it get the certificates from?"
> >
> > An internal "LetsEncrypt", step-ca.
>
>   That is also not answering my question.  You configured the end-user
> system to use WiFi.  As part of that process, you either did (or didn't)
> configure names, EAP type, certificates, etc.
>
>   So... did you do that?  If so, what did you do?
>
> > "The certificate store you edited is used for web authentication, not
> WiFi."
> >
> > Yes, but the EAP module is pointing to that store. I don't see how that's
> > related to web authentication.
>
>   In most systems, the default certificate stores are different for Web
> and for EAP.  You do NOT want to use the same certificate store for both.
>
> > If I set the LDAP module's "require_cert" to
> > 'demand' (rather than 'allow'), freeradius will refuse to start with a
> > similar error. It fails to connect over LDAPS.
>
>   At this point, it's not at all clear what you're doing, or why.
>
>   You aren't configuring FreeRADIUS using the normal process of putting
> the certs into raddb/certs.  You aren't following any of the available "how
> to" guides for configuring FreeRADIUS, or EAP, or WiFi.
>
>   There is existing documentation which tells you how to configure WiFi.
> Please follow it.
>
>   And please also understand that *end user* systems are different than
> the Unifi controller, where you configure FreeRADIUS.  Those end-user
> systems also need to be configured correctly for EAP / WiFi.  It looks very
> much like you haven't done that.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Carsten Schulze
Hi,

I have the same problem, with different devices no connection and all
with "unknown CA error". I googled a little bit and finde the
"eapol_test", but the freeradius doku is outdatetd.

In Short, mybe it might help.
----

wget http://w1.fi/releases/wpa_supplicant-2.9.tar.gz
make eapol_test
cat ttls-eap-mschapv2.conf
#
#   eapol_test -c ttls-eap-mschapv2.conf -s testing123
#
network={
         ssid="example"
         key_mgmt=WPA-EAP
         eap=TTLS
         identity="UIDr"
         anonymous_identity="anonymous"
         password="PASSWORD"
         phase2="autheap=MSCHAPV2"

         #
         #  Uncomment the following to perform server certificate
validation.
         ca_cert="/etc/freeradius/3.0/certs/ca-gen2.pem"
}
Run it:
./eapol_test -c ttls-eap-mschapv2.conf -s testing123

Eaptool-log
---cut
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

//Freeradius-Log
Login OK: [UID] (from client localhost port 0 cli 02-00-00-00-00-01 via
TLS tunnel)

I have no idea what the problem might be.

The ca-cert chain contains the "ROOT-CA" -> "Intermediate-CA" ->
"Local-CA", is this correct? Do I need the complete chain on the device
(Android/Windows)?

Please let me know if you find out anything.

Regards
Carsten

Am 22.02.2021 um 17:22 schrieb Tyler Montney:

> "That really isn't answering my question. Do the users have access to the
> shell on the Unifi controller?  Or are the users trying to gain network
> access via WiFi? If it's the second one, then again... what is the user
> system running?  How did you configure it?"
>
> For instance, a Windows client trying to connect to a WiFi network. It
> tries to connect, is prompted for a username and password, then says "Can't
> connect to this network". (Simultaneously, I have "freeradius -X" running,
> where I see the CA error.)
>
> "You configured the end-user system to use WiFi."
>
> The only thing I have done on the end user system is import the root CA.
>
> "There is existing documentation which tells you how to configure WiFi."
>
> Please verify which documentation you're referring to, so that I know we're
> on the same page.
>
> On Mon, Feb 22, 2021 at 10:05 AM Alan DeKok <[hidden email]>
> wrote:
>
>> On Feb 22, 2021, at 10:46 AM, Tyler Montney <[hidden email]>
>> wrote:
>>> " What is the user system running?  How does it authenticate?"
>>>
>>> Same OS as FreeRadius, running the Unifi Controller. The controller
>>> authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
>>> database.
>>    That really isn't answering my question.
>>
>>    Do the users have access to the shell on the Unifi controller?  Or are
>> the users trying to gain network access via WiFi?
>>
>>    If it's the second one, then again... what is the user system running?
>> How did you configure it?
>>
>>> "Where does it get the certificates from?"
>>>
>>> An internal "LetsEncrypt", step-ca.
>>    That is also not answering my question.  You configured the end-user
>> system to use WiFi.  As part of that process, you either did (or didn't)
>> configure names, EAP type, certificates, etc.
>>
>>    So... did you do that?  If so, what did you do?
>>
>>> "The certificate store you edited is used for web authentication, not
>> WiFi."
>>> Yes, but the EAP module is pointing to that store. I don't see how that's
>>> related to web authentication.
>>    In most systems, the default certificate stores are different for Web
>> and for EAP.  You do NOT want to use the same certificate store for both.
>>
>>> If I set the LDAP module's "require_cert" to
>>> 'demand' (rather than 'allow'), freeradius will refuse to start with a
>>> similar error. It fails to connect over LDAPS.
>>    At this point, it's not at all clear what you're doing, or why.
>>
>>    You aren't configuring FreeRADIUS using the normal process of putting
>> the certs into raddb/certs.  You aren't following any of the available "how
>> to" guides for configuring FreeRADIUS, or EAP, or WiFi.
>>
>>    There is existing documentation which tells you how to configure WiFi.
>> Please follow it.
>>
>>    And please also understand that *end user* systems are different than
>> the Unifi controller, where you configure FreeRADIUS.  Those end-user
>> systems also need to be configured correctly for EAP / WiFi.  It looks very
>> much like you haven't done that.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (7K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Alan DeKok-2
In reply to this post by Tyler Montney
On Feb 22, 2021, at 11:22 AM, Tyler Montney <[hidden email]> wrote:
> For instance, a Windows client trying to connect to a WiFi network. It
> tries to connect, is prompted for a username and password, then says "Can't
> connect to this network". (Simultaneously, I have "freeradius -X" running,
> where I see the CA error.)

  That is a much better description of the problem.

  The error is *not* coming from FreeRADIUS.  The Windows system is sending FreeRADIUS a TLS layer alert message, which say "I don't understand who you are".

  The solution is NOT to poke FreeRADIUS.  The solution is to fix the Windows system so that it knows about the RADIUS certificates.

> "You configured the end-user system to use WiFi."
>
> The only thing I have done on the end user system is import the root CA.

  Where?  How?

  As I said before, the CA stores are different for Web and EAP.  Are you sure that you that you're installing the certificate in the right place in Windows?

> "There is existing documentation which tells you how to configure WiFi."
>
> Please verify which documentation you're referring to, so that I know we're
> on the same page.

  This documentation is specific to Windows, and changes over time.  I'm sure Microsoft has documentation for their product...

  My web site has had detailed documentation on *generic* EAP testing for ~15+ years:  http://deployingradius.com

  It's pointed to from the FreeRADIUS documentation, wiki, etc.  That documentation walks you through the steps necessary to configure EAP, including testing

  Or, there's "google".

https://www.google.com/search?q=How+do+I+install+a+WiFi+certificate+in+Windows+10%3F&rlz=1C5CHFA_enCA767CA767&oq=How+do+I+install+a+WiFi+certificate+in+Windows+10%3F&aqs=chrome..69i57j0i22i30j0i390.295j0j7&sourceid=chrome&ie=UTF-8

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Tyler Montney
I guess there was a bit more configuration to setting up radius on Windows
than I thought. Thanks to Windows 10, a lot of the old dialogs are
hidden/harder to get to.

When connecting, I am now seeing "mschap: WARNING: No ClearText-Password
configured. Cannot create NT-Password/LM-Password."

On Mon, Feb 22, 2021 at 11:13 AM Alan DeKok <[hidden email]>
wrote:

> On Feb 22, 2021, at 11:22 AM, Tyler Montney <[hidden email]>
> wrote:
> > For instance, a Windows client trying to connect to a WiFi network. It
> > tries to connect, is prompted for a username and password, then says
> "Can't
> > connect to this network". (Simultaneously, I have "freeradius -X"
> running,
> > where I see the CA error.)
>
>   That is a much better description of the problem.
>
>   The error is *not* coming from FreeRADIUS.  The Windows system is
> sending FreeRADIUS a TLS layer alert message, which say "I don't understand
> who you are".
>
>   The solution is NOT to poke FreeRADIUS.  The solution is to fix the
> Windows system so that it knows about the RADIUS certificates.
>
> > "You configured the end-user system to use WiFi."
> >
> > The only thing I have done on the end user system is import the root CA.
>
>   Where?  How?
>
>   As I said before, the CA stores are different for Web and EAP.  Are you
> sure that you that you're installing the certificate in the right place in
> Windows?
>
> > "There is existing documentation which tells you how to configure WiFi."
> >
> > Please verify which documentation you're referring to, so that I know
> we're
> > on the same page.
>
>   This documentation is specific to Windows, and changes over time.  I'm
> sure Microsoft has documentation for their product...
>
>   My web site has had detailed documentation on *generic* EAP testing for
> ~15+ years:  http://deployingradius.com
>
>   It's pointed to from the FreeRADIUS documentation, wiki, etc.  That
> documentation walks you through the steps necessary to configure EAP,
> including testing
>
>   Or, there's "google".
>
>
> https://www.google.com/search?q=How+do+I+install+a+WiFi+certificate+in+Windows+10%3F&rlz=1C5CHFA_enCA767CA767&oq=How+do+I+install+a+WiFi+certificate+in+Windows+10%3F&aqs=chrome..69i57j0i22i30j0i390.295j0j7&sourceid=chrome&ie=UTF-8
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Alan DeKok-2


> On Feb 22, 2021, at 1:34 PM, Tyler Montney <[hidden email]> wrote:
>
> I guess there was a bit more configuration to setting up radius on Windows
> than I thought. Thanks to Windows 10, a lot of the old dialogs are
> hidden/harder to get to.

  That's good.

> When connecting, I am now seeing "mschap: WARNING: No ClearText-Password
> configured. Cannot create NT-Password/LM-Password."

  I'm wondering why you're only giving the minimum possible description for everything you do.

  Where are the users stored?  What format is their passwords in?  What configuration changes did you make to the server?

  All of that is relevant.  Until you decide to start giving more information, this will be a slow and painful process for everyone.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Tyler Montney
"I'm wondering why you're only giving the minimum possible description for
everything you do."

I was not aware that I was.

"Where are the users stored?"

A Samba server (integrated LDAP) running as a domain controller.

"What format is their passwords in?"

Not sure.

"What configuration changes did you make to the server"

https://pastebin.com/7kDPmL3p

"All of that is relevant.  Until you decide to start giving more
information, this will be a slow and painful process for everyone"

I apologize, I am not intentionally making this difficult. Each time I've
provided what I thought was relevant. Anything omitted is because I don't
know *what* is relevant, hence why I am here.

On Mon, Feb 22, 2021 at 12:55 PM Alan DeKok <[hidden email]>
wrote:

>
>
> > On Feb 22, 2021, at 1:34 PM, Tyler Montney <[hidden email]>
> wrote:
> >
> > I guess there was a bit more configuration to setting up radius on
> Windows
> > than I thought. Thanks to Windows 10, a lot of the old dialogs are
> > hidden/harder to get to.
>
>   That's good.
>
> > When connecting, I am now seeing "mschap: WARNING: No ClearText-Password
> > configured. Cannot create NT-Password/LM-Password."
>
>   I'm wondering why you're only giving the minimum possible description
> for everything you do.
>
>   Where are the users stored?  What format is their passwords in?  What
> configuration changes did you make to the server?
>
>   All of that is relevant.  Until you decide to start giving more
> information, this will be a slow and painful process for everyone.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Tyler Montney
In reply to this post by Alan DeKok-2
I've made the configuration changes outlined How to Install and Configure
Freeradius With Active Directory Allow Allow Specific Group of Users to
Authenticate in Debian 10 - My Blog - For Fun (stevedong.com)
<https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/#install-freeradius>
starting
at "Grant Permission" and ending at "Configure freeradius-ldap Auth with
AD" with testing with radtest. radtest -t mschap <user> <password>
localhost 0 testing123 fails ('The attempted logon is invalid. This is
either due to a bad username or authentication information. (0xc000006d)')
but radtest <domain_accout> <password> localhost 0 testing123 succeeds.

On Mon, Feb 22, 2021 at 12:55 PM Alan DeKok <[hidden email]>
wrote:

>
>
> > On Feb 22, 2021, at 1:34 PM, Tyler Montney <[hidden email]>
> wrote:
> >
> > I guess there was a bit more configuration to setting up radius on
> Windows
> > than I thought. Thanks to Windows 10, a lot of the old dialogs are
> > hidden/harder to get to.
>
>   That's good.
>
> > When connecting, I am now seeing "mschap: WARNING: No ClearText-Password
> > configured. Cannot create NT-Password/LM-Password."
>
>   I'm wondering why you're only giving the minimum possible description
> for everything you do.
>
>   Where are the users stored?  What format is their passwords in?  What
> configuration changes did you make to the server?
>
>   All of that is relevant.  Until you decide to start giving more
> information, this will be a slow and painful process for everyone.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Alan DeKok-2
In reply to this post by Tyler Montney
On Feb 22, 2021, at 3:00 PM, Tyler Montney <[hidden email]> wrote:
>
> "I'm wondering why you're only giving the minimum possible description for
> everything you do."
>
> I was not aware that I was.

  Did you give a *full* description of what you wanted to do, as requested in http://wiki.freeradius.org/list-help ?

  Or was it "I did stuff and it didn't work".

  We're not mind readers.  RADIUS servers can talk to LDAP, Active Directory, Samba, MySQL, Oracle, PostgreSQL, Redis, and the list goes on.  Unless you describe what you're doing, we don't know what you're doing.

> "Where are the users stored?"
>
> A Samba server (integrated LDAP) running as a domain controller.
>
> "What format is their passwords in?"
>
> Not sure.
>
> "What configuration changes did you make to the server"
>
> https://pastebin.com/7kDPmL3p

  I'm not going to read random diffs (or whatever that is).  You need to describe what you did using plain English.

  Right now, you're going "meh, I'm not going to describe things.  I'm just going to dump stuff on Alan, and ask him to figure it out".

  No, it doesn't work that way.

> "All of that is relevant.  Until you decide to start giving more
> information, this will be a slow and painful process for everyone"
>
> I apologize, I am not intentionally making this difficult. Each time I've
> provided what I thought was relevant. Anything omitted is because I don't
> know *what* is relevant, hence why I am here.

  ANYTHING you change is relevant.  It's really that simple.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Alan DeKok-2
In reply to this post by Tyler Montney


> On Feb 22, 2021, at 5:11 PM, Tyler Montney <[hidden email]> wrote:
>
> I've made the configuration changes outlined How to Install and Configure
> Freeradius With Active Directory Allow Allow Specific Group of Users to
> Authenticate in Debian 10 - My Blog - For Fun (stevedong.com)
> <https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/#install-freeradius>

  Yeah... FreeRADIUS has a Wiki with AD instructions, and I have my deployingradius.com site with documentation on getting FR and AD to work.  But instead of using that, there's some random third-party web site

> starting
> at "Grant Permission" and ending at "Configure freeradius-ldap Auth with
> AD" with testing with radtest. radtest -t mschap <user> <password>
> localhost 0 testing123 fails ('The attempted logon is invalid. This is
> either due to a bad username or authentication information. (0xc000006d)')
> but radtest <domain_accout> <password> localhost 0 testing123 succeeds.

  If only there was some kind of debug output you could read to figure out what the server was doing.  If only there was a ton of documentation which told you to use that debug output.

  I guess it's a mystery.

  You're making this difficult.  You're doing everything *other* than what the documentation says.  This is just not necessary.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Tyler Montney
In reply to this post by Alan DeKok-2
 "Did you give a *full* description of what you wanted to do, as requested
in http://wiki.freeradius.org/list-help"

Truncated -X output, and no config initially. I got to the mailing list by
landing on https://freeradius.org/support/ from Google, then going to
http://lists.freeradius.org/mailman/listinfo/freeradius-users. I saw no
mention of this page. Someone should include this link to that page there.

"Or was it "I did stuff and it didn't work"."

I can't say it was that bad. I guess with the expertise disparity it looks
that way.

"We're not mind readers."

I never said this. My lack of details shouldn't imply that.

"I'm not going to read random diffs (or whatever that is).  You need to
describe what you did using plain English."

I tried that, and that didn't work. I've provided an exact output of every
command I've done, and now that's not acceptable. The pastebin isn't a
diff, it's my rough doc to recreate this if I need to in the future.

"Right now, you're going "meh, I'm not going to describe things.  I'm just
going to dump stuff on Alan, and ask him to figure it out"."

This is getting ridiculous. You could have said, "Please refer to X. Once
you've done that, we can proceed". Instead, you're focusing on being rude
and talking down to me.

If someone else here wants to help, I'll take it from them. Perhaps someone
else on here is a "mind reader". You're off the hook.

On Mon, Feb 22, 2021 at 4:30 PM Alan DeKok <[hidden email]>
wrote:

> On Feb 22, 2021, at 3:00 PM, Tyler Montney <[hidden email]> wrote:
> >
> > "I'm wondering why you're only giving the minimum possible description
> for
> > everything you do."
> >
> > I was not aware that I was.
>
>   Did you give a *full* description of what you wanted to do, as requested
> in http://wiki.freeradius.org/list-help ?
>
>   Or was it "I did stuff and it didn't work".
>
>   We're not mind readers.  RADIUS servers can talk to LDAP, Active
> Directory, Samba, MySQL, Oracle, PostgreSQL, Redis, and the list goes on.
> Unless you describe what you're doing, we don't know what you're doing.
>
> > "Where are the users stored?"
> >
> > A Samba server (integrated LDAP) running as a domain controller.
> >
> > "What format is their passwords in?"
> >
> > Not sure.
> >
> > "What configuration changes did you make to the server"
> >
> > https://pastebin.com/7kDPmL3p
>
>   I'm not going to read random diffs (or whatever that is).  You need to
> describe what you did using plain English.
>
>   Right now, you're going "meh, I'm not going to describe things.  I'm
> just going to dump stuff on Alan, and ask him to figure it out".
>
>   No, it doesn't work that way.
>
> > "All of that is relevant.  Until you decide to start giving more
> > information, this will be a slow and painful process for everyone"
> >
> > I apologize, I am not intentionally making this difficult. Each time I've
> > provided what I thought was relevant. Anything omitted is because I don't
> > know *what* is relevant, hence why I am here.
>
>   ANYTHING you change is relevant.  It's really that simple.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Alan DeKok-2


> On Feb 22, 2021, at 6:36 PM, Tyler Montney <[hidden email]> wrote:
>
> "Did you give a *full* description of what you wanted to do, as requested
> in http://wiki.freeradius.org/list-help"
>
> Truncated -X output, and no config initially. I got to the mailing list by
> landing on https://freeradius.org/support/ from Google, then going to
> http://lists.freeradius.org/mailman/listinfo/freeradius-users. I saw no
> mention of this page. Someone should include this link to that page there.

  When you subscribe to the list, you get an email pointing you to that page.  It helps to read it.

  As for the rest of your message... you can give tons of detail to prove you did nothing wrong.  But when you want help, you give almost no information.  Most people would see the contradiction here.

> If someone else here wants to help, I'll take it from them. Perhaps someone
> else on here is a "mind reader". You're off the hook.

  Stop your personal attacks, or you will be unsubscribed from the list, and permanently banned.

  This is your only warning.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Tyler Montney
Thank you for your time, I no longer need assistance. Consider this
resolved.

On Mon, Feb 22, 2021 at 5:55 PM Alan DeKok <[hidden email]>
wrote:

>
>
> > On Feb 22, 2021, at 6:36 PM, Tyler Montney <[hidden email]>
> wrote:
> >
> > "Did you give a *full* description of what you wanted to do, as requested
> > in http://wiki.freeradius.org/list-help"
> >
> > Truncated -X output, and no config initially. I got to the mailing list
> by
> > landing on https://freeradius.org/support/ from Google, then going to
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users. I saw no
> > mention of this page. Someone should include this link to that page
> there.
>
>   When you subscribe to the list, you get an email pointing you to that
> page.  It helps to read it.
>
>   As for the rest of your message... you can give tons of detail to prove
> you did nothing wrong.  But when you want help, you give almost no
> information.  Most people would see the contradiction here.
>
> > If someone else here wants to help, I'll take it from them. Perhaps
> someone
> > else on here is a "mind reader". You're off the hook.
>
>   Stop your personal attacks, or you will be unsubscribed from the list,
> and permanently banned.
>
>   This is your only warning.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Carsten Schulze
Hi,

I got the same problem after a Debian upgrade from 9 to 10 and it was
not a client problem!

Our CA: Root-CA - Intermediate CA - CA

The solution for me

//in mods-enabled/eap
#ca_file = ${certdir}/ca-gen2.pem <- Dont use this - put your CAs into
certificate_file!
   certificate_file = ${certdir}/radius1w.company.de.pem <-Now:
Certificate - CA - Inter-CA - RootCA

Restart. Works!

Maybe this might help as well:
http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/
https://networkradius.com/doc/3.0.10/raddb/tls/tls-config_tls-common.html



Cheers
Carsten

Am 23.02.2021 um 01:01 schrieb Tyler Montney:

> Thank you for your time, I no longer need assistance. Consider this
> resolved.
>
> On Mon, Feb 22, 2021 at 5:55 PM Alan DeKok <[hidden email]>
> wrote:
>
>>
>>> On Feb 22, 2021, at 6:36 PM, Tyler Montney <[hidden email]>
>> wrote:
>>> "Did you give a *full* description of what you wanted to do, as requested
>>> in http://wiki.freeradius.org/list-help"
>>>
>>> Truncated -X output, and no config initially. I got to the mailing list
>> by
>>> landing on https://freeradius.org/support/ from Google, then going to
>>> http://lists.freeradius.org/mailman/listinfo/freeradius-users. I saw no
>>> mention of this page. Someone should include this link to that page
>> there.
>>
>>    When you subscribe to the list, you get an email pointing you to that
>> page.  It helps to read it.
>>
>>    As for the rest of your message... you can give tons of detail to prove
>> you did nothing wrong.  But when you want help, you give almost no
>> information.  Most people would see the contradiction here.
>>
>>> If someone else here wants to help, I'll take it from them. Perhaps
>> someone
>>> else on here is a "mind reader". You're off the hook.
>>    Stop your personal attacks, or you will be unsubscribed from the list,
>> and permanently banned.
>>
>>    This is your only warning.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (7K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: unknown CA when trying to authenticate

Alan DeKok-2
On Feb 24, 2021, at 3:00 AM, Carsten Schulze <[hidden email]> wrote:

>
> I got the same problem after a Debian upgrade from 9 to 10 and it was not a client problem!
>
> Our CA: Root-CA - Intermediate CA - CA
>
> The solution for me
>
> //in mods-enabled/eap
> #ca_file = ${certdir}/ca-gen2.pem <- Dont use this - put your CAs into certificate_file!
>  certificate_file = ${certdir}/radius1w.company.de.pem <-Now: Certificate - CA - Inter-CA - RootCA
>
> Restart. Works!

  OpenSSL sometime changes how they do things internally, which means behavioural changes in TLS.  This is unfortunate.  We've had to add code to FreeRADIUS to tell OpenSSL "No, don't do what you want, do what we tell you to do".

  Generally, it's good to put all of the certificates into "certificate_file" as per the docs.  But it doesn't always work for everyone.

> Maybe this might help as well:
> http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/

  A good chunk of that is copied from my page, which is 10 years older.  And a lot isn't relevant.  But whatever.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html