Difference between revisions of "Talk:Spacenet"
(found some interesting links) |
(added some extra debug steps) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[User:Xopr|xopr]] 20:59, 9 October 2020 (CEST) I was triggered by a random [https://tweakers.net/nieuws/173130/consultatie-voor-gebruik-wpa2-enterprise-bij-publieke-overheidsnetwerken-begint.html tweakers article] also directing to another article with an [https://tweakers.net/nieuws/168986/driekwart-nederlandse-gemeenten-biedt-onveilige-wifi-gastnetwerken-aan.html?showReaction=14546094#r_14546094 informational comment] that pointed to a [https://www.youtube.com/watch?v=50fO3j4NgyQ youtube video] that triggered me to check some of the status. | [[User:Xopr|xopr]] 20:59, 9 October 2020 (CEST) I was triggered by a random [https://tweakers.net/nieuws/173130/consultatie-voor-gebruik-wpa2-enterprise-bij-publieke-overheidsnetwerken-begint.html tweakers article] also directing to another article with an [https://tweakers.net/nieuws/168986/driekwart-nederlandse-gemeenten-biedt-onveilige-wifi-gastnetwerken-aan.html?showReaction=14546094#r_14546094 informational comment] that pointed to a [https://www.youtube.com/watch?v=50fO3j4NgyQ youtube video] that triggered me to check some of the status. | ||
Since it's not 'guest' related and has a certificate: it's all good, but I wanted to store the above links anyway. | Since it's not 'guest' related and has a certificate: it's all good, but I wanted to store the above links anyway. | ||
| + | |||
| + | == testing commandline == | ||
| + | |||
| + | To test command line (with debug information and without setting up an actual accesspoint), one can use the following: | ||
| + | |||
| + | echo "User-Name=<USER>@ackspace.nl,User-Password=<CORRECT_PASS>"|/usr/bin/radclient <RADIUS_IP>:1812 auth <TOKEN> | ||
| + | Sent Access-Request Id <SEQ> from 0.0.0.0:51116 to <RADIUS_IP>:1812 length <LEN> | ||
| + | Received Access-Accept Id <SEQ> from <RADIUS_IP>:1812 to <LOCAL_IP>:51116 length 20 | ||
| + | |||
| + | Note that the tokens are IP bound; use the right token. | ||
| + | If command line works but the AP is not willing to connect (somethings in the lines of <code>deauthenticating from AC:25:PA:CE:13:37 by local choice (Reason: 3=DEAUTH_LEAVING)</code> in <code>dmesg -w</code>, the AP might have configured the wrong RADIUS IP or token, or even something else. | ||
| + | |||
| + | == Generate new certificates: == | ||
| + | |||
| + | * Steps to check the certificate validity: <code>openssl x509 -text -noout -in ./spacenet-2023.pem</code> or simply: <code>openssl x509 -dates -noout -in ./spacenet-2023.pem</code> | ||
| + | |||
| + | I followed https://sjamso.blogspot.com/2021/03/regenerate-and-configure-ssl.html to clean up and fix the certificates: | ||
| + | |||
| + | <code>cp /usr/share/doc/freeradius/examples/certs/* /etc/freeradius/3.0/certs/</code> | ||
| + | edit <code>/etc/freeradius/3.0/certs/ca.cnf</code> | ||
| + | |||
| + | <pre> | ||
| + | [ CA_default ] | ||
| + | ... | ||
| + | default_days = 1825 | ||
| + | ... | ||
| + | [certificate_authority] | ||
| + | countryName = NL | ||
| + | stateOrProvinceName = Limburg | ||
| + | localityName = Heerlen | ||
| + | organizationName = ACKspace | ||
| + | emailAddress = realm-admin@ackspace.nl | ||
| + | commonName = "ACKspace spacenet certificate authority" | ||
| + | </pre> | ||
| + | |||
| + | edit <code>/etc/freeradius/3.0/certs/server.cnf</code>: | ||
| + | |||
| + | <pre> | ||
| + | [ CA_default ] | ||
| + | ... | ||
| + | default_days = 1825 | ||
| + | ... | ||
| + | [server] | ||
| + | countryName = NL | ||
| + | stateOrProvinceName = Limburg | ||
| + | localityName = Heerlen | ||
| + | organizationName = ACKspace | ||
| + | emailAddress = realm-admin@ackspace.nl | ||
| + | commonName = "ACKspace spacenet certificate" | ||
| + | </pre> | ||
| + | |||
| + | check certificate references in <code>/etc/freeradius/3.0/mods-enabled/eap</code>: | ||
| + | |||
| + | <pre> | ||
| + | tls-config tls-common { | ||
| + | ... | ||
| + | private_key_file = ${certdir}/server-migrated.key | ||
| + | certificate_file = ${certdir}/server-migrated.pem | ||
| + | ca_file = ${certdir}/ca-migrated.pem | ||
| + | </pre> | ||
| + | |||
| + | run: | ||
| + | <pre> | ||
| + | # cd /etc/freeradius/3.0/certs/ | ||
| + | # make ca.der | ||
| + | # make printca | ||
| + | # make dh | ||
| + | # make server.pem | ||
| + | # chown freerad:freerad * | ||
| + | # service freeradius restart | ||
| + | </pre> | ||
Latest revision as of 14:43, 13 July 2024
xopr 20:59, 9 October 2020 (CEST) I was triggered by a random tweakers article also directing to another article with an informational comment that pointed to a youtube video that triggered me to check some of the status. Since it's not 'guest' related and has a certificate: it's all good, but I wanted to store the above links anyway.
testing commandline
To test command line (with debug information and without setting up an actual accesspoint), one can use the following:
echo "User-Name=<USER>@ackspace.nl,User-Password=<CORRECT_PASS>"|/usr/bin/radclient <RADIUS_IP>:1812 auth <TOKEN> Sent Access-Request Id <SEQ> from 0.0.0.0:51116 to <RADIUS_IP>:1812 length <LEN> Received Access-Accept Id <SEQ> from <RADIUS_IP>:1812 to <LOCAL_IP>:51116 length 20
Note that the tokens are IP bound; use the right token.
If command line works but the AP is not willing to connect (somethings in the lines of deauthenticating from AC:25:PA:CE:13:37 by local choice (Reason: 3=DEAUTH_LEAVING) in dmesg -w, the AP might have configured the wrong RADIUS IP or token, or even something else.
Generate new certificates:
- Steps to check the certificate validity:
openssl x509 -text -noout -in ./spacenet-2023.pemor simply:openssl x509 -dates -noout -in ./spacenet-2023.pem
I followed https://sjamso.blogspot.com/2021/03/regenerate-and-configure-ssl.html to clean up and fix the certificates:
cp /usr/share/doc/freeradius/examples/certs/* /etc/freeradius/3.0/certs/
edit /etc/freeradius/3.0/certs/ca.cnf
[ CA_default ] ... default_days = 1825 ... [certificate_authority] countryName = NL stateOrProvinceName = Limburg localityName = Heerlen organizationName = ACKspace emailAddress = realm-admin@ackspace.nl commonName = "ACKspace spacenet certificate authority"
edit /etc/freeradius/3.0/certs/server.cnf:
[ CA_default ] ... default_days = 1825 ... [server] countryName = NL stateOrProvinceName = Limburg localityName = Heerlen organizationName = ACKspace emailAddress = realm-admin@ackspace.nl commonName = "ACKspace spacenet certificate"
check certificate references in /etc/freeradius/3.0/mods-enabled/eap:
tls-config tls-common {
...
private_key_file = ${certdir}/server-migrated.key
certificate_file = ${certdir}/server-migrated.pem
ca_file = ${certdir}/ca-migrated.pem
run:
# cd /etc/freeradius/3.0/certs/ # make ca.der # make printca # make dh # make server.pem # chown freerad:freerad * # service freeradius restart
