Re: Sending CA certificate during EAP-TLS
Hi. Eshun Benjamin wrote: Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. The CA_path folder is empty and the CA_file is commented out. This should work for you. tls { # # These is used to simplify later configurations. # certdir = ${raddbdir}/certs cadir = ${raddbdir}/certs/trustedCA private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem # Trusted Root CA list - CA_path folder is empty # CA_file = ${cadir}/ca.pem CA_path = ${raddbdir}/certs/trustedCA If the configuration is as minimal as suggested (no chain certificates in certificate_file) and FreeRadius is still sending the complete server CA chain build, this must be some FreeRadius magic How do you check if FreeRadius is actually sending the chain? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sending CA certificate during EAP-TLS
Hi Reimer, How do you check if FreeRadius is actually sending the chain? I find Wireshark useful for this. It re-assembles the fragmented TLS handshake, which makes it much easier to understand... josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending CA certificate during EAP-TLS
Hi, Rafa Marín López wrote: Reimer Karlsen-Masur, DFN-CERT escribió: Hi Karlsen, thanks for the answer, please see inline... Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file. *Trusted* CAs for client auth are stored in CA_file or CA_path So there is no conflict here with certificate_file option. And IMO usually CA_file and certificate_file should *not* contain the same CA certs Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. Having said that , your proposal was to not include the CA certificate in the RADIUS server certificate (in certificate_file variable) My RADIUS server certificate does not have the CA certificate included. Even so, the RADIUS server is including the CA certificate :(... any alternative solution?. No. If the configuration is as minimal as suggested (no chain certificates in certificate_file) and FreeRadius is still sending the complete server CA chain build, this must be some FreeRadius magic How do you check if FreeRadius is actually sending the chain? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending CA certificate during EAP-TLS
Hi, in the file referenced by the option variable certificate_file in the tls section only put the server certificate (and optionally the private key) of your RADIUS server. i.e. don't put ca certificates of the chain into that file. I don't know how to prevent the client from sending CA path certificates Rafa Marin wrote: Hi all, Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Sending CA certificate during EAP-TLS
Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? You may have to read the RFC :-). You need the certificates to do EAP-TLS == Benjamin K. Eshun - Message d'origine De : Rafa Marin [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Mercredi, 20 Juin 2007, 13h16mn 05s Objet : Sending CA certificate during EAP-TLS Hi all, Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Sending CA certificate during EAP-TLS
Hi, Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it. err, no. you need to handle those fragmented packets. where is it failing, on your network or more remotely? EAP-TLS places much larger demands on the packet sizes during AAA processseveral hundred bytes more than PEAP (which JUST ABOUT misses fragmentation in its current form from recent memory) you've GOT to pass the certsand if you're using a larger cert (chained etc) those packets will be big. sowhos breaking the RFCs with respect to ICMP and pmtu? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending CA certificate during EAP-TLS
Hi, sowhos breaking the RFCs with respect to ICMP and pmtu? ;-) I've been hunting one such case recently. Just in case it helps: in our case it was a BSD firewall that was misconfigured to only allow non-fragmented UDP packets. I'm not into BSD at all, the guy said something about this being a default setting? I hope I got him wrong back then. We also currently have a pending issue with Cisco WLAN Controllers. We suspect that it will take the EAPoL message from the client, and put the beginning of it into a UDP packet, simply forgetting about the rest if EAPoL payload largest possible EAP-Message payload. We couldn't get our hands on a 100% positive test case, so didn't approach TAC yet. If any of the two are the case for you, please report back here - it's quite an interesting piece of info... Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpEyEWBaiaZi.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Sending CA certificate during EAP-TLS
Hi Benjamin 2007/6/20, Eshun Benjamin [EMAIL PROTECTED]: Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? You may have to read the RFC :-). You need the certificates to do EAP-TLS Yes that's clear to me that you need to send your certificates. But my question was related with CA certificate. When you read TLS RFC (see below) it seems that sending CA certificate is not mandatory. That is the reason of my question. certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. == Benjamin K. Eshun - Message d'origine De : Rafa Marin [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Mercredi, 20 Juin 2007, 13h16mn 05s Objet : Sending CA certificate during EAP-TLS Hi all, Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ne gardez plus qu'une seule adresse mail ! Copiez vos mailshttp://www.trueswitch.com/yahoo-fr/vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Sending CA certificate during EAP-TLS
Hi Alan, err, no. you need to handle those fragmented packets. where is it failing, on your network or more remotely? Actually, it is not failing. I got a successful authentication I was only trying to avoid fragmentation if possible. EAP-TLS places much larger demands on the packet sizes during AAA processseveral hundred bytes more than PEAP (which JUST ABOUT misses fragmentation in its current form from recent memory) Yes I know. you've GOT to pass the certsand if you're using a larger cert (chained etc) those packets will be big. Actually I don't see any problem in sending server certificate and the client its own client certificate. What I would like to do is to avoid sending CA certificate. sowhos breaking the RFCs with respect to ICMP and pmtu? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending CA certificate during EAP-TLS
Hi Karlsen, 2007/6/20, Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED]: Hi, in the file referenced by the option variable certificate_file in the tls section only put the server certificate (and optionally the private key) of your RADIUS server. I think this might work (after some tests i did). But my immediate question is how the server is supposed to verify client certificate if we don't configure any CA certificate?. i.e. don't put ca certificates of the chain into that file. I don't know how to prevent the client from sending CA path certificates Rafa Marin wrote: Hi all, Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending CA certificate during EAP-TLS
Rafa Marin wrote: Hi Karlsen, 2007/6/20, Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Hi, in the file referenced by the option variable certificate_file in the tls section only put the server certificate (and optionally the private key) of your RADIUS server. I think this might work (after some tests i did). But my immediate question is how the server is supposed to verify client certificate if we don't configure any CA certificate?. Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file. *Trusted* CAs for client auth are stored in CA_file or CA_path So there is no conflict here with certificate_file option. And IMO usually CA_file and certificate_file should *not* contain the same CA certs because I guess in the majority of cases the RADIUS server cert is issued by some (commercial) server CA where as the client certs are mostly issued by some home grown user CA. Saying that there might be cases where the CA certificates from CA_file are indeed the CA chain certs of the RADIUS server certificate. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Sending CA certificate during EAP-TLS
Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. The CA_path folder is empty and the CA_file is commented out. This should work for you. tls { # # These is used to simplify later configurations. # certdir = ${raddbdir}/certs cadir = ${raddbdir}/certs/trustedCA private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem # Trusted Root CA list - CA_path folder is empty # CA_file = ${cadir}/ca.pem CA_path = ${raddbdir}/certs/trustedCA dh_file = ${certdir}/dh random_file = ${certdir}/random # fragment_size = 1024 # include_length = yes # check_crl = yes # check_cert_issuer = /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd # check_cert_cn = %{User-Name} # # Set this option to specify the allowed # TLS cipher suites. The format is listed # in man 1 ciphers. cipher_list = DEFAULT #make_cert_command = ${certdir}/bootstrap } == Benjamin K. Eshun - Message d'origine De : Rafa Marín López [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc : Rafa Marin Lopez [EMAIL PROTECTED] Envoyé le : Mercredi, 20 Juin 2007, 18h10mn 12s Objet : Re: Sending CA certificate during EAP-TLS Reimer Karlsen-Masur, DFN-CERT escribió: Hi Karlsen, thanks for the answer, please see inline... Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file. *Trusted* CAs for client auth are stored in CA_file or CA_path So there is no conflict here with certificate_file option. And IMO usually CA_file and certificate_file should *not* contain the same CA certs Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. Having said that , your proposal was to not include the CA certificate in the RADIUS server certificate (in certificate_file variable) My RADIUS server certificate does not have the CA certificate included. Even so, the RADIUS server is including the CA certificate :(... any alternative solution?. because I guess in the majority of cases the RADIUS server cert is issued by some (commercial) server CA where as the client certs are mostly issued by some home grown user CA. Saying that there might be cases where the CA certificates from CA_file are indeed the CA chain certs of the RADIUS server certificate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html