We are currently putting in place a freeradius server that uses certificates to authenticate via a wireless connection. We have this working for 802.1x but Novell's client for Windows 7 breaks the 802.1x protocol. So we have to have the certificate based authentication.
I have a test domain set up and running, I can get regular internal/external authentication to happen. Once I implement the certs is when things start going crazy. I have attached my radius -X output (at least the portions of it where it tries to instantiate the EAP module. I have googled around for answers but really haven't found anything. Any help would be greatly appreciated. Thank you.
Module: Instantiating eap
eap {
default_eap_type = "eap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
rlm_eap: Unknown default EAP type eap
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to load module "eap".
/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.
We have this working for 802.1x but Novell's client for Windows 7 breaks the 802.1x protocol. So we have to have the certificate based authentication.
This doesn't make sense to me. Regardless of whether you are using EAP-PEAP, EAP-TLS or EAP-TTLS your supplicants will need to talk 802.1x with the authenticator. If Novell's client truly breaks 802.1x there's no way you can get this to work regardless of what authentication mechanism you decide to use with EAP (which itself is tunneled via EAPOL) 802.1x will need to supported by your supplicants and authenticators.
Your issue as stated likely lies here:
You can't set the EAP authentication mechanism to EAP. EAP is just an authentication framework - hence the Extensible Authentication Protocol. You need to pick a protocol for EAP to use.
You mentioned certificates so I'm assuming you're implementing EAP-TLS. You probably want to change:
to