Skip to Content.

geteduroam - Re: Question regarding setting up Letswifi CA and EAP-TLS setting at FR3

Subject: An open discussion list for topics related to the geteduroam service

List archive


Re: Question regarding setting up Letswifi CA and EAP-TLS setting at FR3


Chronological Thread 
  • From: Wenche Backman-Kamila <wenche.backman-kamila AT csc.fi>
  • To: Muhammad Farhan SJAUGI <farhan AT sifulan.my>
  • Cc: geteduroam <geteduroam AT lists.geant.org>
  • Subject: Re: Question regarding setting up Letswifi CA and EAP-TLS setting at FR3
  • Date: Wed, 24 Nov 2021 16:07:01 +0200 (EET)

Hi,

Thanks for your comments and technical advice! These kind of problems solved are highly valuable to the community and they also provide input for the project. I hope as many as possible on this list would follow your example and share lessons learned.

Regards,

Wenche
project manager for the geteduroam project from January 2022

----
Wenche Backman-Kamila, Network Specialist, Funet services, CSC
P.O. Box 405 02101 Espoo, Finland, tel +358 9 457 2737
CSC is the Finnish IT Center for Science, www.csc.fi, e-mail: wenche.backman-kamila AT csc.fi


From: "geteduroam" <geteduroam AT lists.geant.org>
To: "geteduroam" <geteduroam AT lists.geant.org>
Sent: Wednesday, 24 November, 2021 00:55:36
Subject: Re: Question regarding setting up Letswifi CA and EAP-TLS setting at FR3

Hi,
Just an update for everyone's benefit who comes across this email in the future. So, I managed to solve the first "problem".

After deeply looked at the source code, so basically there are two ways the admin can pass the realm name:

1. Http hostname/domain name: The code will look at the http hostname/domain name and do a cross check with the realm_vhost table to find out the realm. However, despite there's a function/method/API to add this mapping, it seems not implemented yet as a command like the command to add a new realm. Hence, I had to add it manually in the database.
2. Http GET parameter: By adding ?realm=<realm name> or &realm=<realm name> when requesting for a profile (e.g. https://get.eduroam.my/profiles/new/?realm=<realm name>). 

Each has pros and cons, depending on the setup that you are looking for; like the 1st option looks more "seamless" as you don't have to provide the realm. However, in a multitenant setup, you need to set up multiple web server virtual hosting for each realm. The 2nd option is simpler for the administrator, but they have to remind the user to mention the realm name in the url. (CMIIW).

Hope this helps.

Regards

--
Ts. Muhammad Farhan SJAUGI, S.Kom. M.Sc.
SIFULAN Malaysian Access Federation
Email: farhan AT sifulan.my
Homepage: https://sifulan.my
  


On Mon, 22 Nov 2021 at 15:35, Muhammad Farhan SJAUGI <farhan AT sifulan.my> wrote:
Hi,
OK, I managed to solve the problem no 2. Apparently, the ServerID attributes inside the profile didn't match with the actual server hostname as a "radius." string was added.

So, I have to edit the servername by hand in the database (or any better way?) to make it correct. After this change, I able to login by using the credential generated by using letswifi ca.

However, any idea how can I solve the first problem?

Regards
--
Ts. Muhammad Farhan SJAUGI, S.Kom. M.Sc.
SIFULAN Malaysian Access Federation
Email: farhan AT sifulan.my
Homepage: https://sifulan.my
  


On Sun, 21 Nov 2021 at 17:11, Muhammad Farhan SJAUGI <farhan AT sifulan.my> wrote:
Hi,
We are setting up a letswifi ca portal for our federation members. So far everything went well as we are able to register a new realm and get the profile (however we need to add ?realm=<realm name> manually to download the profile).

However, when we tested the account, we got the following error message at the Freeradius 3 (FR3) despite we had added the realm's letwifi ca cert in the ca trusted list:

(33) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(33) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
(33) eap_tls: ERROR: System call (I/O) error (-1)
(33) eap_tls: ERROR: TLS receive handshake failed during operation
(33) eap_tls: ERROR: [eaptls process] = fail
(33) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
My questions are:

1. Is there any way to let the user download the profile without having to manually add ?realm=<realm name> in the url browser?
2. Any idea what the problem is with our FR3 EAP-TLS configuration? FYI, our FR3 uses letsencrypt cert.

Regards

--
Ts. Muhammad Farhan SJAUGI, S.Kom. M.Sc.
SIFULAN Malaysian Access Federation
Email: farhan AT sifulan.my
Homepage: https://sifulan.my
  




Archive powered by MHonArc 2.6.19.

Top of Page