I need help tracking down why my WPA2-Enterprise EAP-TLS FreeRADIUS Wifi network won't function.
To start .... I am running Omada Software Controller (Currently on Windows 10) as a service. It is currently version 5.15.20.21 (Stable build).
My network consists of the following devices (in addition to the SDC):
1x ER605 - 5 port VPN / Internet Gateway --- ER605 v2.0 firmware 2.3.0
1x SG2008 - 8 port Layer 2 Switch (non-PoE) --- SG2008 v4.20 firmware 4.20.9
1x EAP245 - Wireless Access Point --- EAP245(US) v3.0 firmware 5.2.0
1x Linux Mint Server v22.1 Xia - FreeRADIUS v3.2.5 (no proxies ... single realm ... wifi device x509 cert authentication only, no accounting)
There is SCANT documentation on setting up a network with this configuration (Most of which is so deprecated that it almost qualifies as dis-information) so please, excuse my fumbling about ... it is the best I could do given no experience, no support, and limited access to useful technical documentation or relevant information (outside of the RFCs themselves which are virtually indecipherable as they are written in elite nerd code. A language that sadly I have yet to fully comprehend, despite many years of diligent effort made toward that score). I digress ...
What I am trying to accomplish, as stated in the Subject line for this thread, is to simply create a secure wireless environment where I can exist beyond the clutches of the innumerable hacker-type mac-address spoofing identity-thieving "criminals" that cannot or will not leave my information, devices, nor my internet connection alone. This is the final step ... beyond this, I'm going to have to resort to other more drastic measures which I will not discuss here.
I have connected, configured, and documented my network topology both physically and logically with this sole exception. I cannot get any wireless devices to successfully complete the authentication process of joining my secure wireless network. There aren't any errors or warnings ... nothing in Radius debugging etc .... in fact I can see in the rather verbose output FreeRadius provides during attempted connections that there isn't a problem .... it's all green lights up until the process stalls. It just stops processing and everything server side goes back into a waiting type state, while the device just hangs in a connecting state until eventually it too gives up and then stubbornly tries again... and the cycle repeats ad-nauseum into perpetuity.
It might be Radius, but if it is I couldn't say where or why ... there is nothing pointing to a misconfiguration or what to look for if your devices simply hang in a "Connecting" state until eventually something or everything simply times out ... I guess, I'm completely out of ideas at this point and nowhere to turn for guidance. The freerradius forums and community resources have proven to be of little actual help, either no replies at all or unhelpful snarky comments from elitist knowledge hoarding trolls that exist solely to cause people like me to think very dark and evil thoughts.
As for the SDC as I said, there aren't any errors that I'm seeing in the logs aside from the ARP cache poisoning, constant and non-ceasing mac address spoofing and of course the evil-twin / deauthorization combo attacks (those are my personal favorites... inspired me to actually go to a sporting goods store where I purchased a nice aluminum bat. I'm practicing my swing, and getting better too). Once again, I digress...
So, I have all the fun icky verbose logs and the verbose radius output all of which Im more than happy to share.
What information specifically would you like to see first? Or should I post it all (it's a LOT)?
Really, thank you ... if you've read this far you deserve a medal just for that. But any ideas would be most appreciated. For anyone willing to take this on with me to try and run it to ground and find root cause .... I'll gladly buy you a pizza and a 2 litre of soda... send me an address and what you want on the bad boy and BAM!, I'll get one sent over easy as pie! (not joking).
Thank you Vincent for taking the time to reply and for providing the links. Though, I followed the configuration suggestions within the documents, they didn't match my device's configuration options exactly ... and in the end I still am unable to join any devices to my WPA2-Enterprise EAP-TLS FreeRADIUS wlan .... but after following the examples provided I now have actual errors appearing in my FreeRADIUS server's debugging output that I did not have previously ....
The VLAN configuration for the WLAN is as follows:
The WLAN configuration screen is as follows:
Here is the RADIUS Profile configuration:
And my FreeRADIUS servers Clients.conf and EAP.conf files were all reconfigured to reflect the information provided in the first linked document. It is these configuration changes in particular which caused the failures to appear in the debugging output, of that I am 100% certain. However, rather than revert the settings I am wondering if it might be prudent to combine the two such that my Access Point remains a client listed in Clients.conf as I believe it should be...
After looking over my posted settings do you have any additional concerns or pebbles of enlightenment to toss my way? Thank you for both your time and consideration.
After going back to my original Clients.conf file and adding the documents recommended client data (vs. replacing any existing configured client data) this is the complete debugging output of FreeRADIUS after attempting to join a device to the WAP2-Enterprise wlan network:
Once the output goes back to "Ready to process requests" I look at my device and it is still waiting to connect. No error, no connection, just connecting f o r e v e r .... until eventually the battery dies or I lose interest ... tantamount to watching paint dry .... with full battery its even worse. And I've tried it with different devices of different platforms each with the exact same result (except the devices without battery power don't ever quit trying, but other than that ... same).