freeradius: EAP-TLS broken since update

[senser8912]

Hello,

I already posted in the german part of this forum (https://forum.opnsense.org/index.php?topic=31124.0).
Since my update to 22.7.8, which included an update of freeradius to version 3.2.1 I'm facing problems with my wifi-clients.
They simply won't connect anymore, the radius-log is showing the error, that you can see below.
I tried reinstalling the freeradius-package, deleting the raddb-folder etc. None of which has worked so far.

Code: [Select]

Auth: (25) Login incorrect (eap: Failed continuing EAP TLS (13) session. EAP sub-module failed): [USERNAME/<via Auth-Type = eap>] (from client ACCESSPOINT port 0 cli XX-XX-XX-XX-XX-XX)

Auth: (25) Login incorrect: [USERNAME/<via Auth-Type = Reject>] (from client ACCESSPOINT port 0 cli XX-XX-XX-XX-XX-XX via TLS tunnel)


[senser8912]

I found a very unsatisfying solution: The config-parameter "Check TLS Common-Name" was suddenly causing these problems.
If I uncheck this box everything works just fine.
But: Now everyone with a valid certificate could log in as any other user...

Is this a bug?
Cause it worked just fine before the update and of course the common-names and usernames are identical.

[mimugmail]

Can you try to revert:

https://forum.opnsense.org/index.php?topic=31124.msg150219#msg150219

[senser8912]

Hi mimugmail,

thanks for your help, reverting helped indeed!

Code: [Select]

opnsense-revert -r 22.7.3 freeradius3

But this is obviously a software bug?

[mimugmail]

Hi mimugmail,

thanks for your help, reverting helped indeed!

Code: [Select]

opnsense-revert -r 22.7.3 freeradius3

But this is obviously a software bug?

A bug of FreeRadius where OPN is not responsible of.
Can you also revert to 22.7.7 and check again?