cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Please be advised, the GuideMe Wizard is no longer available on the Small Business Support Community. For search capability please use the community search field to find content related to Cisco Small Business documents, videos, and discussions.
1923
Views
0
Helpful
1
Replies
Highlighted
Beginner

WET200 FreeRadius EAP-TLS Authentication?

I have a new WET200 wireless bridge and cannot authenticate to our WPA2 EAP-TLS freeradius server. Here are the steps that I have taken so far:

1. Renamed my pkcs12 client certificate to .pfx extension and imported it into the WET200.

2. Used the client certificate import password as the "Private Key Password"

3. Typed in the client "Login Name"

The freeradius server recognizes the WET200 with the entered credentials but will not authenticate. The freeradius debug log gives the following error:

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

WARNING: !! EAP session for state 0x3e833be03884222b... did not finish!

WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Normally, with other wireless devices the CA (ceritificate authority) certificate needs to be installed to the client as well as the pkcs12 client certificate? Is there a way to place a CA and client certificate into the WET200?

What is the proper method to install certificates into the WET200 for FreeRadius EPA-TLS authentication?

Regards,

Jim

1 REPLY 1
Beginner

WET200 FreeRadius EAP-TLS Authentication?

Okay, I figured it out. The trick was using OpenSSL to make a new pkcs12 certificate that included both the CA and the client certificates in one file. Once I loaded it into the WET200 and typed in the password everything works.

The pkcs12 file has to have a .pfx extension and not .p12 or the web interface will state that the certificate is invalid. I had to look at the javascript source to figure that one out.

For reference, the radius debug log showed the following error:

     rlm_eap: NAK asked for bad type 0

This apparently means that the supplicant in the WET200 was not able to offer the radius server a compatible eap type which was due to not having a complete certificate path.