nmcli can't astablish connection to radius server with wpa eap tls

From: Iris Fiedler <mail iris-fiedler de>
To: networkmanager-list gnome org
Subject: nmcli can't astablish connection to radius server with wpa eap tls
Date: Mon, 19 Feb 2018 12:59:04 +0100 (CET)

Debian: 9.3 
network-manager: 1.6.2-3

cat /etc/NetworkManager/system-connections/wlan0
[connection]
id=wlan0x0
uuid=ec4bcd13-d3e1-4707-b844-9b8c3821b7ac
type=wifi
interface-name=wlan0
permissions=

[wifi]
mac-address=80:1F:02:F2:2B:53
mac-address-blacklist=
mode=infrastructure
ssid=Linksys02355

[wifi-security]
auth-alg=open
key-mgmt=wpa-eap

[802-1x]
ca-cert=/var/opt/telemotive/etc/cert/ca.pem
client-cert=/var/opt/telemotive/etc/cert/client.p12
eap=tls;
identity=testUser1
password=testUser11
private-key=/var/opt/telemotive/etc/cert/client.p12
private-key-password=testCert1

[ipv4]
dns-search=
method=auto
never-default=true

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
never-default=true


freeRADIUS: 3.0.15 (on a different PC with OpenSuse 42.3)
Konfigured as wpa-eap tls with identity and password.

radius-tls.log 
(35)   Invalid user: [testUser1/<no User-Password attribute>] (from client 192.168.2.254/16 port 10 cli 
801f02f22b53 via TLS tunnel)
(35)   Rejected in post-auth: [testUser1/<no User-Password attribute>] (from client 192.168.2.254/16 port 10 
cli 801f02f22b53 via TLS tunnel)
(35)   Login incorrect: [testUser1/<no User-Password attribute>] (from client 192.168.2.254/16 port 10 cli 
801f02f22b53 via TLS tunnel)

As you can see the User-Password attribute is missing. Although the password in nmcli was set.

This is what nmcli is responding with:
nmcli device connect wlan0 
Passwords or encryption keys are required to access the wireless network 'Linksys02355'.
Warning: password for '802-1x.identity' not given in 'passwd-file' and nmcli cannot ask without '--ask' 
option.
Error: Connection activation failed: (7) Secrets were required, but not provided.

nmcli -a  device connect wlan0 
Passwords or encryption keys are required to access the wireless network 'Linksys02355'.
Identity (802-1x.identity): testUser1
Passwords or encryption keys are required to access the wireless network 'Linksys02355'.
Private key password (802-1x.private-key-password): 
Passwords or encryption keys are required to access the wireless network 'Linksys02355'.
Identity (802-1x.identity): testUser1

Even here no user password is asked!!!

I created a new user without password. Although the radius server accepted the authentication no connection 
was established!!!

It confused me so I checkt if a wpa eap ttls-pap would work. 
After reconfiguration of nmcli and radius server it worked without problems.
So I think this is only a tls problem.

Follow-Ups:
- Re: nmcli can't astablish connection to radius server with wpa eap tls
  - From: Beniamino Galvani

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]