Radius Certificate Based (eap) Authentication

Question

We are currently putting in place a freeradius server that uses certificates to authenticate via a wireless connection. We have this working for 802.1x but Novell's client for Windows 7 breaks the 802.1x protocol. So we have to have the certificate based authentication.

I have a test domain set up and running, I can get regular internal/external authentication to happen. Once I implement the certs is when things start going crazy. I have attached my radius -X output (at least the portions of it where it tries to instantiate the EAP module. I have googled around for answers but really haven't found anything. Any help would be greatly appreciated. Thank you.

Module: Instantiating eap
  eap {
        default_eap_type = "eap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096
  }

 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/server.pem"
        certificate_file = "/etc/raddb/certs/server.pem"
        CA_file = "/etc/raddb/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/raddb/certs/dh"
        random_file = "/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
   }
rlm_eap: Unknown default EAP type eap
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to load module "eap".
/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.

Answer 1

We have this working for 802.1x but Novell's client for Windows 7 breaks the 802.1x protocol. So we have to have the certificate based authentication.

This doesn't make sense to me. Regardless of whether you are using EAP-PEAP, EAP-TLS or EAP-TTLS your supplicants will need to talk 802.1x with the authenticator. If Novell's client truly breaks 802.1x there's no way you can get this to work regardless of what authentication mechanism you decide to use with EAP (which itself is tunneled via EAPOL) 802.1x will need to supported by your supplicants and authenticators.

---

Your issue as stated likely lies here:

rlm_eap: Unknown default EAP type eap
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"

You can't set the EAP authentication mechanism to EAP. EAP is just an authentication framework - hence the Extensible Authentication Protocol. You need to pick a protocol for EAP to use.

You mentioned certificates so I'm assuming you're implementing EAP-TLS. You probably want to change:

default_eap_type = "eap"

to

eap: default_eap_type = "tls"