Hi everyone!! Thanks so much for the replies!! I believe that was my first forum post after years of lurking
.
Beone
It's already in there, tested with v6.35rc8 and works like a charm
Referencing @slavik, @Beone, can you post your working config bits, if you don't mind?
I've pasted my "non-working" security profile, wireless interface, and cert info that I used during NANOG.
Below is the security profile. I tried tls-mode with "verify-certificate" and tried with and without a supplicant identity. ...about that supplicant identity. There was only one username for everyone, "nanog" (it's a pretty open network with a focus on efficiency, not restricting usage). I used that for the supplicant identity. I'm wondering if I should have used my system name, or something random. Thoughts?
5 name="nanog1" mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm
group-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
supplicant-identity="nanog" eap-methods=eap-ttls-mschapv2 tls-mode=dont-verify-certificate
tls-certificate=auth.meetings.nanog.org.cer_0 mschapv2-username="someusername"
mschapv2-password="somepassword" static-algo-0=none static-key-0="" static-algo-1=none
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key=""
radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no
interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX
radius-mac-mode=as-username-and-password radius-mac-caching=disabled group-key-update=5m
management-protection=disabled management-protection-key=""
Since NANOG is now over, I changed the following interface profile to match what I'm pretty sure I used before (I'm sure the frequency is different):
0 R name="wlan1-gateway" mtu=1500 l2mtu=1600 mac-address=4C:5E:0C:D7:73:14 arp=enabled
interface-type=Atheros AR9888 mode=station ssid="nanog" frequency=5805 band=5ghz-a/n/ac
channel-width=20mhz scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled
default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=nanog1 compression=no
And here is some info about the certificate I used:
6 L T name="auth.meetings.nanog.org.cer_0"
issuer=C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http:,,certs.godaddy.com,
repository,,CN=Go Daddy Secure Certificate Authority - G2
unit="Domain Control Validated" common-name="auth.meetings.nanog.org" key-size=2048
subject-alt-name=DNS:auth.meetings.nanog.org days-valid=1093 trusted=yes
key-usage=digital-signature,key-encipherment,tls-server,tls-client
serial-number="someserialnumber"
fingerprint="somefingerprint"
invalid-before=may/29/2015 21:01:38 invalid-after=may/27/2018 16:03:43
I don't have an opportunity to test this out again on the NANOG network until the June (which gives visibility on both sides), but I'll test it out later today/tomorrow using a university network using similar settings.
Thanks so much everyone! -ej
EDIT:
1. Fixed quote.
2. Added supplicant identity detail.