Re: Problems using EAP-TLS with freeradius version 2
@Arran Cudbard-Bell
/ Is the prefix and suffix to the regular expression string. Any
characters after the / suffix are used as modifiers. FreeRadius only
supports the i modifier to make matches case insensitive.
resolves to a literal back-slash. Regular expressions use the \ char as
an escape char so it needs to be escaped with itself. FR also uses \ as an
escape char so it has to be escaped with itself too. Hence the \ - \\
- \
This regular expression was written to stop *stupid* *stupid* *stupid*
students from breaking authentication by entering something in the domain
field. They kept entering sussex.ac.uk and [EMAIL PROTECTED] in the User Box
in the windows supplicant, which resulted in. ... The regexp parses these as
:
%{1} = user %{2} = domain
or
%{1} = user %{2} =
Thanks again for the detailed comment, it saved me a lot of time and I will try
to get more familiar with that kind of regular expressions. I will take your
first solution, the domain was only excluded to see that the test certificates
work which could bee generated with the Makefile provided in the FreeRadius
Source.
Now where the test certificates are working (on Win XP AND Windows Mobile)
I will have to investigate again in my old certificates, because my one are
only working with Windows XP supplicant and wpa_supplicant using Linux. The
Windows Mobile supplicant cannot use them correctly although the
certificates are the same one. Very strange!
Yesterday evening I found the solution, why my certificates doesn't work with
the Windows Mobile supplicant although the Windows XP supplicant does:
I'm using TinyCA to create and mange my certificates. By default the
certificates are generates with a Keylength of 4096 using RSA encryption and
SHA-1 as Signature Algorithm. When I took a look into the Makefile which
generates the test certificates in the freeradius source a Keylength of only
2048 is used and MD5 as Signature Algorithm, so the devil must be in there
somewhere. And indeed, it doesn't matter, which Algorithm you are using for
signing (MD5 or SHA-1) but the Keylength seems to be very important for Windows
Mobile devices. All certificates I generated with a Keylength of 2048 are
working fine, all certificates wit a Keylength of 4096 doesn't work on the
Mobile device (although they work fine on a Windows XP system).
In short:
The build in supplicant of the Windows Mobile devices (I tested one with Windows
Mobile 2003SE and one with Windows Mobile 6 Professional) doesn't like
certificates with a Keylength of 4096!!!
Thanks again for all help I got here on the mailing list, the next days/weeks
I'm going to write some HOWTO for Mobile Devices in order to give something back
to you :-)
@Alan DeKok
Wont it be better, to change the signing process in te provided Makefile so that
a client certificate is signed by the ca certificate instead from the server
certificate? When using TinyCA every certificate is signed from the ca
certificate, too. I know both will work, if you specify the correct ca-cert in
eap.conf, but changing that point would make the process (in my opinion) more
consistent:
You have to install the ca certificate and the client certificate on the
client-computer, why should client cert by signed from the server cert? When I
looked around in Web previous to find some god HOWTO's about setting up
Freeradius using EAP-TLS I always found it that way, that the ca cert signs all
other certs and by the way, the HOWTO in the freeradius Wiki (EAPTLS.pdf)
explains it that way, too ;-)
Best regards
Stefan Puch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
You have to install the ca certificate and the client certificate on the client-computer, why should client cert by signed from the server cert? Because the idea is to authenticate those users to *that* server, not to *every* server that got the certificate from that CA. With your approach the user would be admitted to some other network if their server was issued a certificate by the same CA. If you are using commercial certificates there might be thousands of servers with certificates issued by the same CA. And the user will be able to get onto all of them (if they use EAP-TLS). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
You have to install the ca certificate and the client certificate on the client-computer, why should client cert by signed from the server cert? Because the idea is to authenticate those users to *that* server, not to *every* server that got the certificate from that CA. With your approach the user would be admitted to some other network if their server was issued a certificate by the same CA. If you are using commercial certificates there might be thousands of servers with certificates issued by the same CA. And the user will be able to get onto all of them (if they use EAP-TLS). Thanks for the clarification, this is a good argument! In my case there is (and will be) only one server with uses the CA so it makes no difference, but in many other cases, you are right, signing with the CA is not what you really want. Thanks again and best wishes Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
@Arran Cudbard-Bell
Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape to
one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
literal in the regular expression...
I'm not so familiar with regular expressions, but your example works Thank you
very much! :-)
To make the test certificate being accepted I only hat to remove the leading
@, beacuse the username in there is [EMAIL PROTECTED] and if stripped to
only
user not accepted by the radius server.
# This one work with the test certificate, too
if(%{User-Name} =~ /?([^]+)@?([-[:alnum:]._]*)?$/) {
update request {
Stripped-User-Name = %{1}
}
}
if(%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) {
update request {
Stripped-User-Name = %{1}
}
}
Is there anywhere a more detailed HOWTO for understanding this regular
expression? I would like to understand fully what this example does...
Probably I just have to do some googling
Now where the test certificates are working (on Win XP AND Windows Mobile) I
will have to investigate again in my old certificates, because my one are only
working with Windows XP supplicant and wpa_supplicant using Linux. The Windows
Mobile supplicant cannot use them correctly although the certificates are the
same one. Very strange!
Finally I can start writing the HOWTO for Windows Mobile devices ;-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote:
@Arran Cudbard-Bell
Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape to
one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
literal in the regular expression...
I'm not so familiar with regular expressions, but your example works Thank you
very much! :-)
To make the test certificate being accepted I only hat to remove the leading
@, beacuse the username in there is [EMAIL PROTECTED] and if stripped to
only
user not accepted by the radius server.
http://www.regular-expressions.info/
This is the best reference for regular expressions, depending on the
libraries the servers are built against, the RegExp flavour is usually
PCRE (Perl Compatible Regular Expressions).
# This one work with the test certificate, too
if(%{User-Name} =~ /?([^]+)@?([-[:alnum:]._]*)?$/) {
update request {
Stripped-User-Name = %{1}
}
}
/ Is the prefix and suffix to the regular expression string. Any
characters after the / suffix are used as modifiers. FreeRadius only
supports the i modifier to make matches case insensitive.
resolves to a literal back-slash. Regular expressions use the \
char as an escape char so it needs to be escaped with itself. FR also
uses \ as an escape char so it has to be escaped with itself too. Hence
the \ - \\ - \
This regular expression was written to stop *stupid* *stupid* *stupid*
students from breaking authentication by entering something in the
domain field. They kept entering sussex.ac.uk and [EMAIL PROTECTED] in
the User Box in the windows supplicant, which resulted in.
[EMAIL PROTECTED]
or sussex.ac.uk\user
The regexp parses these as :
%{1} = user
%{2} = domain
or
%{1} = user
%{2} =
if(%{User-Name} =~ /?([^]+)$/) {
update request {
Stripped-User-Name = %{1}
}
}
If you don't need the domain information separately, the above
expression might work better for you. The ? will always try to match
the first '\' but will actually match the last '\' because of the greedy
capture. Then the greedy capture which will capture anything but \ .
Should also work for just straight [EMAIL PROTECTED] as the '\' prefix is
optional.
We use the domain part of the user identifier for proxying.
Is there anywhere a more detailed HOWTO for understanding this regular
expression? I would like to understand fully what this example does...
Probably I just have to do some googling
Now where the test certificates are working (on Win XP AND Windows Mobile) I
will have to investigate again in my old certificates, because my one are only
working with Windows XP supplicant and wpa_supplicant using Linux. The Windows
Mobile supplicant cannot use them correctly although the certificates are the
same one. Very strange!
Finally I can start writing the HOWTO for Windows Mobile devices ;-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
@Alan DeKok
I'll bet that if you posted the final Access-Accept from 1.1.7 and from
2.0.1, that they would be *different*. If you make them the same, I'll also
bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
default-file, which setting were included in radiusd.conf in previous version
of freeradius
Stop fighting with the certificates. You're wasting your time, and confusing
yourself. Start looking at the contents of the Access-Accept, which is the
only thing that really matters.
With that hint I was able to get Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would be no problem for you, the problem with the
username of the devices.
If I disable the option check_cert_cn = %{User-Name} in eap.conf I get a
working configuration, but finally it should work also with that Option enabled.
The problem of the Windows Mobile devices is, that they always submit as
username DOMAIN\user. If you leave the DOMAINNAME blank still \user is used.
Since the radiusd.conf hints say, that I should NOT use the option
with_ntdomain_hack (and when I tested it still didn't work for me) I wanted to
use the Realm module.
But at the moment I didn't fully understand how realms work, although I did read
the Posting on this mailinglist (from 2004) and the manpage.
I Know that I will have to use the realm module
# 'domain\user'
realm ntdomain {
format = prefix
delimiter = \\
}
therefore, but what else do I have to configure when I want to use a blank
domain? First I tried with a domain called bla which is configured in
proxy.conf:
realm bla {
authhost= LOCAL
accthost= LOCAL
}
The attached logfile shows, that the username is stripped correctly, but
obviously the stripped username in not passed correctly to the eap module. Can
anyone tell me, what else I have to configure? My goal is simply to strip the
empty domain from the username, so that eap-tls work with the option
check_cert_cn = %{User-Name} enabled in eap.conf
In short:
How do I specify an empty domain (realm {authhost = LOCAL, accthost = LOCAL}
doesn't work)?
What else do I have to configure, when the realm ntdomain is set in radiusd.conf
(I have also set ntdomain in authorize and preacct section)
Best regards and thanks in advance
Stefan Puch
PS: When I've got a working configuration for the Windows Mobile devices, I'm
going to write a little HOWTO like the one EAP/TLS Setup for FreeRADIUS and
Windows XP Supplicant just for Mobile PDA's
FreeRADIUS Version 2.0.1, for host i586-mandriva-linux-gnu, built on Jan 24
2008 at 21:20:10
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
user = radius
group = radius
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
client 127.0.0.1 {
require_message_authenticator = no
secret = test
shortname = localhost
}
client 192.168.0.8 {
require_message_authenticator = no
secret = test
shortname = AP-Tower
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote:
@Alan DeKok
I'll bet that if you posted the final Access-Accept from 1.1.7 and from
2.0.1, that they would be *different*. If you make them the same, I'll also
bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
default-file, which setting were included in radiusd.conf in previous version
of freeradius
Stop fighting with the certificates. You're wasting your time, and confusing
yourself. Start looking at the contents of the Access-Accept, which is the
only thing that really matters.
With that hint I was able to get Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would be no problem for you, the problem with the
username of the devices.
If I disable the option check_cert_cn = %{User-Name} in eap.conf I get a
working configuration, but finally it should work also with that Option enabled.
The problem of the Windows Mobile devices is, that they always submit as
username DOMAIN\user. If you leave the DOMAINNAME blank still \user is used.
Since the radiusd.conf hints say, that I should NOT use the option
with_ntdomain_hack (and when I tested it still didn't work for me) I wanted to
use the Realm module.
But at the moment I didn't fully understand how realms work, although I did read
the Posting on this mailinglist (from 2004) and the manpage.
I Know that I will have to use the realm module
You dont... your using 2.01 ?
Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape
to one \ in the username ... \\ To escape it in the RegExp string, \\ to
make \ literal in the regular expression...
authorize {
# USERNAME FORMATTING
# User-Name Formatting, extracts Realm, User. Ignores NT domain
# This will accept
# * user
# * [EMAIL PROTECTED]
# * ntdomain\\user
# * [EMAIL PROTECTED]
if(%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) {
update request {
Stripped-User-Name = %{1}
}
}
...
}
You then use:
check_cert_cn = %{Stripped-User-Name}
PS: When I've got a working configuration for the Windows Mobile devices, I'm
going to write a little HOWTO like the one EAP/TLS Setup for FreeRADIUS and
Windows XP Supplicant just for Mobile PDA's
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Jeffrey Hutzelman wrote on 04.02.2008 00:43: --On Thursday, January 31, 2008 05:42:50 PM +0100 Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] wrote: If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client certificates they might not work with Windows build-in supplicant. This is not surprising, if that is the only EKU in the cert. I was talking about a set of EKUs like MS Smartcard Logon in combination with clientAuth and eg. e-mail protection...even if I did not state that clearly enough. Windows does not like to use EE-certs containing EKUs clientAuth and MS Smartcard Logon for EAP-TLS with its build-in supplicant. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
--On Thursday, January 31, 2008 05:42:50 PM +0100 Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] wrote: If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client certificates they might not work with Windows build-in supplicant. This is not surprising, if that is the only EKU in the cert. In fact, in that situation, no correct server should accept the certificate for EAP-TLS, because the presence of any EKU means the certificate may _only_ be used for listed usages, and EAP-TLS is not smartcard-based logon. If you want to use a certificate for both purposes, then it must have both id-kp-ms-sc-logon and one of anyExtendedKeyUsage (2.5.29.37.0) or [sigh] id-kp-clientAuth (1.3.6.1.5.5.7.3.2). Unfortunately, RFC2716 does not discuss the details of certificate validation, but the rules for handling extended key usages are the same for all uses of PKIX; for details, see RFC3280 section 4.2.1.13. The replacement for RFC2716 is draft-simon-emu-rfc2716bis-13.txt, which was just approved as a Proposed Standard in the past week. It does discuss the details of certificate validation for EAP-TLS, in section 5.3. -- Jeffrey T. Hutzelman (N3NHS) [EMAIL PROTECTED] Carnegie Mellon University - Pittsburgh, PA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: Therefore the Makefile is used in the same directory. I'm not really sure, but in Line 93 where the client.pem is created it must be -passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER) Thanks. I've fixed that. It would also be helpful to integrate the following command into the ca section, when generating a self-signed CA certificate, because using Windows you need the CA in DER-format: openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der Thanks. I've added that, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
@Reimer Karlsen-Masur If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client certificates you could work around this by disabling the trust setting of valid certificate usage Microsoft Smartcard Logon in the CAs properties in Windows build-in certificate store on the PDA. As the Microsoft Smartcard Logon extendedKeyUsage *is NOT part* of the client certificates there should be no problem. Something different seems to be not correct. Did you get a PDA using Windows Mobile working with EAP-TLS with Windows build-in supplicant and freeradius? If yes, can you tell me which freeradius version? I did one get a Windows Mobile working using the build-in supplicant and EAP-PEAP using mschapv2 and freeradius 1.1.7 @Alan DeKok I didn't find any test certificates that come with 2.0.1. I think you talk about the bootstrap script which can create some test certificates, don't you? If so, here are the results: - running bootstrap creates ca.pem, server.pem, dh and random which are used with the radius server (server.pem is signed with ca.pem) - running make client.pem creates a client certificate which is signed by the server certificate (in my opinion that cannot work but I did). I used that certificate and ca.pem (according to the README) with wpa_supplicant on my linux laptop - when trying to connect to the radius server the validation fails with following output from radiusd -X (because the the client cert is not signed with ca.pem): ... ... +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: TLS 1.0 Handshake [length 038d], Certificate -- verify error:num=20:unable to get local issuer certificate rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/via Auth-Type = EAP] (from client AP-Tower port 1 cli 00095BC95B52) Found Post-Auth-Type Reject +- entering group REJECT ++- group REJECT returns noop -- - Then I changed the Makefile, so that the client cert is signed with the ca.pem like the server certificate is (wouldn't be that the correct way?) - when trying to connect to the radius server the validation success with following output from radiusd -X: ... ... +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: TLS 1.0 Handshake [length 0750], Certificate chain-depth=1, error=0 -- User-Name = [EMAIL PROTECTED] -- BUF-Name = Example Certificate Authority -- subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL PROTECTED]/CN=Example Certificate Authority -- issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL PROTECTED]/CN=Example Certificate Authority -- verify return:1 chain-depth=0, error=0 -- User-Name = [EMAIL PROTECTED] -- BUF-Name = [EMAIL PROTECTED] -- subject = /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] -- issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL PROTECTED]/CN=Example Certificate Authority -- verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: TLS 1.0 Handshake [length 0106], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 23 to 192.168.0.8 port 1140 EAP-Message = 0x010800450d80003b140301000101160301003031e600309274b2c95b4c91d60b518c86b678535f6f72e1ea9786b7ff77f6f405392a8 b9ddcd13285e0683603d2669f42 Message-Authenticator = 0x State = 0x80a5541786ad5978313d7a01a03396c4 Finished request 6. Going to the next request Waking up in 0.2 seconds.
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote on 01.02.2008 09:57: @Reimer Karlsen-Masur If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client certificates you could work around this by disabling the trust setting of valid certificate usage Microsoft Smartcard Logon in the CAs properties in Windows build-in certificate store on the PDA. As the Microsoft Smartcard Logon extendedKeyUsage *is NOT part* of the client certificates there should be no problem. Something different seems to be not correct. Did you get a PDA using Windows Mobile working with EAP-TLS with Windows build-in supplicant and freeradius? I am afraid, we do not have a Win Mob PDA to test things available. Problems with the non-repudiation keyUsage occured with a SymbianOS based PDA. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: - running bootstrap creates ca.pem, server.pem, dh and random which are used with the radius server (server.pem is signed with ca.pem) - running make client.pem creates a client certificate which is signed by the server certificate (in my opinion that cannot work I guess all of the people using that exact scenario are deluding themselves. - when trying to connect to the radius server the validation fails with following output from radiusd -X (because the the client cert is not signed with ca.pem): No. It's failing because the server hasn't been told that it's server certificate is a known CA. SSL is weird that way. - Then I changed the Makefile, so that the client cert is signed with the ca.pem like the server certificate is (wouldn't be that the correct way?) No. But it *will* work, too. It may take less effort to get it to work. The problem is, that after the Login OK nothing futher happens, e.g. the clients cannot carry using dhcp. The dhcp-client is started, but the request doesn't reach the dhcp-server. The login OK message is nothing more than a suggestion in the radius logs. What is *important* is: - was an Access-Accept sent back? The rest of the debug log that you deleted should show that - was the Access-Accept understood and processed by the NAS? See the NAS for details. If the server sent an Access-Accept, and the user still doesn't have network access, then the NAS chose to disconnect the user. This is basic RADIUS knowledge. So I downgraded again from 2.0.1 to freeradius 1.1.7 and tested everything again: The first client certificate, which was signed with der server certificate didn't work, the second one worked fine AND the when after Login OK the dhcp-client is started, the dhcp-server gets the requests and can answer. You're stuck on the wrong pieces of information. The certificates are irrelevant. What is actually happening is that you've configured 2.0.1 and 1.1.7 *differently*. The contents of the final Access-Accept sent by 2.0.1 are different from the contents sent by 1.1.7. Since you configured the contents, you are responsible for making sure that the contents are identical, and that the NAS accepts them. The NAS doesn't look at the certificates. It doesn't care. It *does* care if it isn't told the right information in the Access-Accept. I'll bet that if you posted the final Access-Accept from 1.1.7 and from 2.0.1, that they would be *different*. If you make them the same, I'll also bet that the NAS will accept the user. The first question I would like to get an answer for is: Which certificate is needed to sign the client certificate, the CA certificate or the server certificate? Either. It depends on how you want to do it. The second question is: Are there any further suggestions or do I have to make an ethereal trace? Perhaps you can send me some test certs that should really work, so that I can exclude the certs when debugging/analyzing the rest? The certificates are fine. Don't claim that the certificates don't work. Many people have them working in real-world and test environments. Stop fighting with the certificates. You're wasting your time, and confusing yourself. Start looking at the contents of the Access-Accept, which is the only thing that really matters. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
The first question I would like to get an answer for is: Which certificate is needed to sign the client certificate, the CA certificate or the server certificate? It's nonsense, that the server certificate signs the client certificate... it must be signed by the ca certificate. Sebastian -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote on 31.01.2008 17:05: Hello again, ... @Reimer Karlsen-Masur We know of problems with EE certificates in PDAs containing the non-repudiation flag. If the non-repudiation keyUsage *is part* of your client certificates they might not work with some PDAs build-in supplicants. We found this out by try and error... Additionally Windows build-in supplicants don't like EE certificates with the extendedKeyUsage Microsoft Smartcard Logon (1.3.6.1.4.1.311.20.2.2) when doing EAP-TLS. Apparently the latter issue can also be solved by just disabling the valid certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted usages properties on the system. I'm not sure if understand correctly what you want to say to me (I'm stupid :-)) First I've used TinyCA to generate my certificates, now I will try the Makefile provided in the source-code of freeradius. I think the extendedKeyUsage Microsoft Smartcard Logon should not be set in both variants. If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client certificates they might not work with Windows build-in supplicant. If the Microsoft Smartcard Logon extendedKeyUsage *is not part* of your client certificates this causes less problems with Windows build-in supplicant. Or do you mean that the extendedKeyUsage Microsoft Smartcard Logon must be disabled on the PDA? If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client certificates you could work around this by disabling the trust setting of valid certificate usage Microsoft Smartcard Logon in the CAs properties in Windows build-in certificate store on the PDA. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. You have to love Microsoft... Hmm, most of the time I'm using Linux, but 90% of the others only have a Microsoft system :-( The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with Vista, XP SP1, XP SP2, Linux systems, MAC. It's working live in environments with many, may different OS's and architectures. So it *should* work. I was afraid that someone says that, because I didn't believe that a new version would be released without testing. By the way, when you have tested so many different Windows systems you will have to Microsoft as well, won't you ;-) ethereal packet traces of the RADIUS traffic would help. But I would first suggest trying to use the test certificates that come with 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something special about the certificates you're using. OK, then I will start with the provided certificates, well knowing that if then do work I will have to make new certificates for all current users... If the certificates that come with 2.0.1 also fail I will provide some ethereal packet traces. Thanks for the quick response Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote on 30.01.2008 11:13: Hello everyone, I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from radiusd -X I want to ask here if someone else has made similar experiences. I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate). Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. We know of problems with EE certificates in PDAs containing the non-repudiation flag. Additionally Windows build-in supplicants don't like EE certificates with the extendedKeyUsage Microsoft Smartcard Logon (1.3.6.1.4.1.311.20.2.2) when doing EAP-TLS. Apparently the latter issue can also be solved by just disabling the valid certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted usages properties on the system. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. You have to love Microsoft... With the new version 2.0.1 the Windows and Linux Laptops are not able to authenticate any more with the freeradius server (the certificates are still the same). The server sends an ACCESS, but the behavior is like described in the FAQ PEAP or EAP-TLS Doesn't Work with a Windows machine. Downgrading to the previous version of freeradius 1.1.7 makes them work again, freeradius version 2.0.0 doesn't work either. The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with Vista, XP SP1, XP SP2, Linux systems, MAC. It's working live in environments with many, may different OS's and architectures. So it *should* work. So, what would be helpful to analyze the problem? All config files or just the output from radiusd -X from both versions in order to make a diff or should I open a new bug in the tracking system as well? ethereal packet traces of the RADIUS traffic would help. But I would first suggest trying to use the test certificates that come with 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something special about the certificates you're using. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
