Difference between revisions of "Talk:Spacenet"

From Hackerspace ACKspace
Jump to: navigation, search
(Generate new certificates:: new section)
(added some extra debug steps)
 
Line 9: Line 9:
 
  Sent Access-Request Id <SEQ> from 0.0.0.0:51116 to <RADIUS_IP>:1812 length <LEN>
 
  Sent Access-Request Id <SEQ> from 0.0.0.0:51116 to <RADIUS_IP>:1812 length <LEN>
 
  Received Access-Accept Id <SEQ> from <RADIUS_IP>:1812 to <LOCAL_IP>:51116 length 20
 
  Received Access-Accept Id <SEQ> from <RADIUS_IP>:1812 to <LOCAL_IP>:51116 length 20
 +
 +
Note that the tokens are IP bound; use the right token.
 +
If command line works but the AP is not willing to connect (somethings in the lines of <code>deauthenticating from AC:25:PA:CE:13:37 by local choice (Reason: 3=DEAUTH_LEAVING)</code> in <code>dmesg -w</code>, the AP might have configured the wrong RADIUS IP or token, or even something else.
  
 
== Generate new certificates: ==
 
== Generate new certificates: ==

Latest revision as of 14:43, 13 July 2024

xopr 20:59, 9 October 2020 (CEST) I was triggered by a random tweakers article also directing to another article with an informational comment that pointed to a youtube video that triggered me to check some of the status. Since it's not 'guest' related and has a certificate: it's all good, but I wanted to store the above links anyway.

testing commandline

To test command line (with debug information and without setting up an actual accesspoint), one can use the following:

echo "User-Name=<USER>@ackspace.nl,User-Password=<CORRECT_PASS>"|/usr/bin/radclient <RADIUS_IP>:1812 auth <TOKEN>
Sent Access-Request Id <SEQ> from 0.0.0.0:51116 to <RADIUS_IP>:1812 length <LEN>
Received Access-Accept Id <SEQ> from <RADIUS_IP>:1812 to <LOCAL_IP>:51116 length 20

Note that the tokens are IP bound; use the right token. If command line works but the AP is not willing to connect (somethings in the lines of deauthenticating from AC:25:PA:CE:13:37 by local choice (Reason: 3=DEAUTH_LEAVING) in dmesg -w, the AP might have configured the wrong RADIUS IP or token, or even something else.

Generate new certificates:

  • Steps to check the certificate validity: openssl x509 -text -noout -in ./spacenet-2023.pem or simply: openssl x509 -dates -noout -in ./spacenet-2023.pem

I followed https://sjamso.blogspot.com/2021/03/regenerate-and-configure-ssl.html to clean up and fix the certificates:

cp /usr/share/doc/freeradius/examples/certs/* /etc/freeradius/3.0/certs/ edit /etc/freeradius/3.0/certs/ca.cnf

[ CA_default ]
...
default_days            = 1825 
...
[certificate_authority]
countryName         = NL
stateOrProvinceName = Limburg
localityName        = Heerlen
organizationName    = ACKspace
emailAddress        = realm-admin@ackspace.nl
commonName          = "ACKspace spacenet certificate authority"

edit /etc/freeradius/3.0/certs/server.cnf:

[ CA_default ]
...
default_days            = 1825 
...
[server]
countryName         = NL
stateOrProvinceName = Limburg
localityName        = Heerlen
organizationName    = ACKspace
emailAddress        = realm-admin@ackspace.nl
commonName          = "ACKspace spacenet certificate"

check certificate references in /etc/freeradius/3.0/mods-enabled/eap:

tls-config tls-common {
...
private_key_file = ${certdir}/server-migrated.key
certificate_file = ${certdir}/server-migrated.pem
ca_file = ${certdir}/ca-migrated.pem

run:

# cd /etc/freeradius/3.0/certs/
# make ca.der
# make printca
# make dh
# make server.pem
# chown freerad:freerad *
# service freeradius restart