Here's our eap.conf file. Looks pretty normal to me.
Maybe the 127.0.0.1 localhost should be the regular ip?
# This file is generated from a template at
/usr/local/pf/conf/radiusd/eap.conf
# Any changes made to this file will be lost on restart
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
#private_key_file = /usr/local/pf/conf/ssl/server.key
#certificate_file = /usr/local/pf/conf/ssl/server.crt
private_key_file = /usr/local/pf/conf/ssl/*******.davenport.edu.key
certificate_file = /usr/local/pf/conf/ssl/mycert_combined.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/";
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-tunnel"
#soh = yes
#soh_virtual_server = "soh-server"
}
mschapv2 {
}
}
-
Pete Hoffswell - Network Manager
[email protected]
http://www.davenport.edu
On Wed, Feb 11, 2015 at 9:58 AM, Derek Wuelfrath <[email protected]>
wrote:
> Pete,
>
> Can you share your /usr/local/pf/raddb/eap.conf file.
> Make sure to remove any sensitive info first (if there’s any)
>
> Cheers!
> dw.
>
> --
> Derek Wuelfrath
> [email protected] :: www.inverse.ca
> +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On February 11, 2015 at 09:56:12, Pete Hoffswell (
> [email protected]) wrote:
>
> Hi Derek and packetfence-users -
>
> We have a version 3 signed certificate from godaddy.com specifically
> named and set for our packetfence server. It works perfectly for https
> access to the admin console on packetfence. But our 802.1X connections do
> not seem to use this cert, showing it as "Not Verified"
>
> Our existing 802.1x deployment, that works on a Microsoft IAS server
> running . We are passing AD domain credentials to authenticate. The
> certificate on this server works fine.
>
> Our android users connect with PEAP/MSCHAPV2 just fine.
> Our iphone users connect they will get a Certificate page saying "Not
> Verified" - Is there a way to have this say "verified" ?
>
> Maybe I'll just not talk about linux and windows yet. :(
>
> Thanks so much for the advice.
>
> -
> Pete Hoffswell - Network Manager
> [email protected]
> http://www.davenport.edu
>
>
> On Wed, Feb 11, 2015 at 9:25 AM, Derek Wuelfrath <[email protected]>
> wrote:
>
>> Pete,
>>
>> It depends on what type of 802.1X authentication that you’d like to put
>> in place.
>> Most of the time, when we talk about 802.1X, we talk about EAP-PEAP
>> (MSCHAP) to use domain credentials. We can also use EAP-TLS that requires
>> client certificate to authenticate rather than credentials.
>>
>> EAP-PEAP (MSCHAP) will probably require a valid SSL certificate to be
>> configured on the RADIUS server. That way, clients will not have to make
>> any modification on their device to trust / untrust the server cert.
>>
>> EAP-TLS doesn’t require any special certificate, except than the ones
>> you will be generating to authenticate the users.
>>
>> Let me know if you need more info.
>>
>> Cheers!
>> dw.
>>
>> --
>> Derek Wuelfrath
>> [email protected] :: www.inverse.ca
>> +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On February 10, 2015 at 15:57:25, Pete Hoffswell (
>> [email protected]) wrote:
>>
>> Hi there -
>>
>> Is there a special certificate type that is needed for 802.1X
>> authentication? How do I go about acquiring the correct type of cert, and
>> applying it to my PacketFence installation?
>>
>> I don't see any documentation about this, and am not a certificate guru
>> by any means.
>>
>>
>> -
>> Pete Hoffswell - Network Manager
>> [email protected]
>> http://www.davenport.edu
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now.
>> http://goparallel.sourceforge.net/_______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
