FreeRadius EAP Settings Root and Server Certificate

[crissi]

Upps, yes sorry was not my intend to quote myself:)

Thanks for the Update! I will look into this over the weekend.

[crissi]

Hello benyamin,

changed yet the settings to TLS and check TLS Common Name marked. Created the new 4.th Certificate with Common Name User / Device Name. Imported and trusted this Cert to Client Device, but i still get prompted when choosing the WPA Enterprise Wifi Network.

Tried also with Common Name User and Device Name, and also without Check TLS Common Name, same result.

Thx!

[benyamin]

I presume your client device is your Mac. You will need to recreate a new WiFi profile to use EAP-TLS. IIRC (and it has been some time), I believe you import the client certificate into the profile rather than the store.

It's a bit weird that it prompted for credentials anyway. Maybe restart OPNsense...

I would observe the log at Services: FreeRADIUS: Log File straight after powering on to see if there are any errors on startup, and then again whilst trying to connect to see what is going on. Maybe post your log if you see errors or it doesn't work.

I also think it worthwhile to try a Windows client too. It's possible that Windows will not like the certificates that OPNsense creates, so you should probably check that now.

[crissi]

creating a new wifi profile on mac an choose WPA2 Enterprise i need to add user / password, have not the option there to somehow choose certificate tls.

tried now also with windows 10 client to set this up, created certificate for the win client exported all 4 Certificates and imported and Trusted the Certs (local computer ). used this guide to created then to configure the wifi connection:

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/905663/configuring-windows-10-wireless-profile-to-use-certificate

Trying to connect results in error certificate is needed

Checking the Log in Opnsense give me some errors:

2021-11-14T10:51:46       Auth: (6) Login incorrect (eap_tls: (TLS) OpenSSL says error 20 : unable to get local issuer certificate): [host/admin/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)   
2021-11-14T10:51:46       ERROR: (6) eap_tls: ERROR: (TLS) Server : Error in error   
2021-11-14T10:51:46       ERROR: (6) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA   
2021-11-14T10:51:46       ERROR: (6) eap_tls: ERROR: (TLS) OpenSSL says error 20 : unable to get local issuer certificate   
2021-11-14T10:35:48       Info: Ready to process requests   
2021-11-14T10:35:48       Info: Loaded virtual server check-eap-tls   
2021-11-14T10:35:48       Info: Loaded virtual server default   
2021-11-14T10:35:48       Info: Loaded virtual server inner-tunnel   
2021-11-14T10:35:48       Info: # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:330


Updated also Opnsense now to 21.7.5 and freeradius to 1.9.17


Really dont know, what im doing wrong here to get this working...

Thx!

[benyamin]

They are certainly interesting errors in the log.

Just to confirm: when you go to connect the WiFi network, does it ask you to select the certificate?

The next page of the guide you referenced shows an example.

Also, which stores did you import the certificates under into. It should be:

• Root CA certificate (radius-ca) into the Local Computer: Trusted Root Certification Authorities store
• Intermediate CA certificate (radius-intermediate-ca) into the Local Computer: Intermediate Certification Authorities store
• Server Certificate (radius) should not need to be installed
• User (Client) Certificate into the (Current) User: Personal store

EDIT: Fixed link

[crissi]

thanks, i had the certificates not correctly placed in the specific stores, so i placed them to the recommended stores now.

When i try to connect to the Wifi Network i get asked to select a certificate, but under the selection is the user (client) certificate not available, to select (even with the corrected stores now) Restarted the client pc several times, and configured the connection several times from scratch..

[benyamin]

Ok, a couple of things to check further.

Firstly, make sure you imported the private key with the user certificate. Save the certificate from OPNsense in PKS #12 (.p12) format. Then import that file. Presuming you didn't already import the private key, give it another try before proceeding.

In the Wireless Network Properties, under Settings at Choose a network authentication method (Microsoft: Smart Card or other certificate):

• Choose Advanced and tick the Certificate Issuer checkbox. Scroll down to the list of Intermediate Certification Authorities and choose your CA (radius-intermediate-ca). Give that a try before proceeding.
• Uncheck Use simple certificate selection (Recommended) and try again.

Like I mentioned earlier, it's possible that Windows clients will not accept certificates from the CAs on OPNsense as Microsoft's EAP implementations expect certain purposes in the certificate's Extended Key Usage (EKU) extensions. Hopefully, the above gets it working...

[crissi]

thank you, i exported yet the user certificate with the private key in PKS #12 (.p12) format as you mentioned and imported it to current User – personal certificates, and yes now I'm able to select the user certificate when connecting to the Wifi..

but still connection is not possible, and result in this errors in the log:

2021-11-16T08:40:09       Auth: (13) Login incorrect (eap_tls: (TLS) OpenSSL says error 2 : unable to get issuer certificate): [testuser/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)   
2021-11-16T08:40:09       ERROR: (13) eap_tls: ERROR: (TLS) Server : Error in error   
2021-11-16T08:40:09       ERROR: (13) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA   
2021-11-16T08:40:09       ERROR: (13) eap_tls: ERROR: (TLS) OpenSSL says error 2 : unable to get issuer certificate   
2021-11-16T08:40:00       Auth: (6) Login incorrect (eap_tls: (TLS) OpenSSL says error 2 : unable to get issuer certificate): [testuser/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)   
2021-11-16T08:40:00       ERROR: (6) eap_tls: ERROR: (TLS) Server : Error in error   
2021-11-16T08:40:00       ERROR: (6) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA   
2021-11-16T08:40:00       ERROR: (6) eap_tls: ERROR: (TLS) OpenSSL says error 2 : unable to get issuer certificate

then i went back to the FreeRadius – EAP – settings and changed for testing the root certificate from radius-intermediate-ca to radius-ca, and tried again to connect, and the connection was directly established


2021-11-16T08:43:33       Auth: (7) Login OK: [testuser] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)

switched back to the radius-intermediate-ca and the connection stopped working..

As you mentioned previously, the Intermediate CA should be the one issuing certificates to the Clients, why is the connection not working with the radius-intermediate-ca, but with the radius-ca?

PS: also MacOs can establish the connection via eap-tls, with selected radius-ca

[benyamin]

Well, that is interesting...

I'll look into it as my time permits but I'm glad to hear it is at least working.

[crissi]

With this scenario it would also not be possible to set the Root CA offline.

Thank You for your Help

[crissi]

Well, that is interesting...

I'll look into it as my time permits but I'm glad to hear it is at least working.

Hello benyamin,

did you have the time to already look into this?

Thx!