FreeRADIUS basic setup for PEAP using example certificates
Hi all I'm trying to setup a very basic test server using FreeRADIUS (running on Ubuntu 12.04) that uses PEAP with the example certificates generated by FreeRADIUS. I keep running into a variety of fairly basic problems. After running freeradius -X I get this error message. Couldn't open /etc/freeradius/acct_users for reading: Permission denied Errors reading /etc/freeradius/acct_users /etc/freeradius/modules/files[7]: Instantiation failed for module files /etc/freeradius/sites-enabled/inner-tunnel[124]: Failed to load module files. /etc/freeradius/sites-enabled/inner-tunnel[47]: Errors parsing authorize section. I was hoping someone could advise. Thanks PS I'm new to FreeRADIUS and Ubuntu. This e-mail message is confidential and for use by the addressee only. If you are not the intended recipient, you must not use, disclose, copy or forward this transmission. Please return the message to the sender by replying to it and then delete the message from your computer. Sagentia provides e-mail services for both itself and a number of its independent spin-out companies. Sagentia shall not be held liable to any person resulting from the use of any information contained in this e-mail and shall not be liable to any person who acts or omits to do anything in reliance upon it. Sagentia does not accept responsibility for changes made to this message after it was sent. Company Information: Name: Sagentia Limited. Registered Address: Harston Mill, Harston Cambridge CB22 7GG. Registered as a Company in England: 2081960 VAT Number: 432214202. Website hosted by: Sagentia Limited Harston Mill, Harston, Cambridge, UK. CB22 7GG i...@sagentia.com -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
Darlington, Andrew wrote: I’m trying to setup a very basic test server using FreeRADIUS (running on Ubuntu 12.04) that uses PEAP with the example certificates generated by FreeRADIUS. See http://deployingradius.com It has a detailed guide for EAP / PEAP. Couldn't open /etc/freeradius/acct_users for reading: Permission denied Errors reading /etc/freeradius/acct_users You're running it as a normal user, and the file is owned by root (or another user). Run it as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS basic setup for PEAP using example certificates
Thanks for the fast reply.
See http://deployingradius.com It has a detailed guide for EAP / PEAP.
I'm actually following that one, it's very helpful, however I keep running into
problems that aren't covered.
You're running it as a normal user, and the file is owned by root (or
another user).
I'm sorry I should have included more information the first time round.
root@hd:~# sudo freeradius -X
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Sep 24 2012 at
17:53:32
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
Re: FreeRADIUS basic setup for PEAP using example certificates
Hi, I'm trying to setup a very basic test server using FreeRADIUS (running on Ubuntu 12.04) that uses PEAP with the example certificates generated by FreeRADIUS. out of the box, freeRADIUS works - you just need, for testing to add your user/pass to the 'users' file and your NAS to the clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
hi, check permissions/owner etc of /etc/freeradius and the contents alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
On 15/08/13 14:30, Darlington, Andrew wrote:
Couldn't open /etc/freeradius/acct_users for reading: Permission denied
Errors reading /etc/freeradius/acct_users
/etc/freeradius/modules/files[7]: Instantiation failed for module files
/etc/freeradius/sites-enabled/inner-tunnel[124]: Failed to load module files.
/etc/freeradius/sites-enabled/inner-tunnel[47]: Errors parsing authorize
section.
I thought I was running it as root (root@hd), and I also used sudo just to be
sure (not too confident on Ubuntu's root system).
Let me know if that's not the case.
main {
user = freerad
group = freerad
Ensure user/group freerad has permissions on /etc/freeradius/acct_users
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS basic setup for PEAP using example certificates
Hi Thanks for all the replies! Going through all the permissions of the various files freeradius complained about fixed it like Phil Mayers and Alan said. I also fixed the radtest problem. This just need to have freeradius restarted normally. I'm now working on PEAP with an Ubuntu client now so hopefully that will go smoothly. Thanks again for the help. This e-mail message is confidential and for use by the addressee only. If you are not the intended recipient, you must not use, disclose, copy or forward this transmission. Please return the message to the sender by replying to it and then delete the message from your computer. Sagentia provides e-mail services for both itself and a number of its independent spin-out companies. Sagentia shall not be held liable to any person resulting from the use of any information contained in this e-mail and shall not be liable to any person who acts or omits to do anything in reliance upon it. Sagentia does not accept responsibility for changes made to this message after it was sent. Company Information: Name: Sagentia Limited. Registered Address: Harston Mill, Harston Cambridge CB22 7GG. Registered as a Company in England: 2081960 VAT Number: 432214202. Website hosted by: Sagentia Limited Harston Mill, Harston, Cambridge, UK. CB22 7GG i...@sagentia.com -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... Yes. That is a problem. But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. That would work. I just hope I'm not telling complete bullshit... ;-) Nope. Thank you Alan for your time to answer! It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on certificates before deep dive into EAP-TLS
G'day
As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:
Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.
Am I guessing correctly that CA_file can contain a different list of CA(s)
than the server certificate that is shown to the client? (Taken from
Debian's FR 2.1.12)
eap.conf:
tls {
[...]
certificate_file = /etc/freeradius/ssl/cert.p
# Trusted Root CA list
CA_file = /etc/univention/ssl/ucsCA/CAcert.pem
[...]
The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a trusted
external CA)
while some devices could login using EAP-TLS but only when they present
a certificate from an internal CA (that usually isn't being trusted by
devices
outside of control of IT department).
Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Yes. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? Yes. It contains a list of valid CAs. The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). That works. The client will need *both* CAs. But why be this complicated? Just use one CA, which is for both EAP-TLS and PEAP. It can issue client certs to some machines, and *not* issue client certs to others. You don't need one CA per EAP method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Hi Am 11.04.2013 20:08, schrieb Alan DeKok: snip! The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. Correct, that for sure isn't what I'd want :-) certificate_file - the server-side certificate - would contain the certificate (and it's trust chain) by the trusted CA. CA_file would only contain the internal CA, such as that only those signed by the one internal CA IT has control over it, would be accepted by FR. (oh and I'd want to have a regularly up-to-date revocation list...) snip! You don't need one CA per EAP method. Sure, I am only looking for the server-side certificate (certificate_file) being signed by a CA that most devices trust - since most of the users are going to use PEAP-MSCHAPv2 with devices not under direct controll of IT. Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. I just hope I'm not telling complete bullshit... ;-) Thank you Alan for your time to answer! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Am 23.01.2013, 19:53 Uhr, schrieb Stephan Manske gmane-re...@stephan.manske-net.de: Yes, it is a ssl problem, the ca.key and all the certs are incompatible. And no, it is not only a ssl problem, it is a freeradius problem, too: Unless the makefile in certs is provided by openssl, but I think this is freeradius stuff, or? Ciao, Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok al...@deployingradius.com: Stephan Manske wrote: [tls] -- verify return:1 -- verify error:num=7:certificate signature failure [tls] TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus That's an SSL error. It looks like the certificate being presented is wrong, or the client has made a mistake in SSL. I think I found the issue: Yes, it is a ssl problem, the ca.key and all the certs are incompatible. And no, it is not only a ssl problem, it is a freeradius problem, too: I made a new client certificate and this can be verified: #openssl verify -verbose -CAfile ca.pem 0B.pem 0B.pem: OK I made a next one: openssl verify -verbose -CAfile ca.pem 0C.pem 0C.pem: OK but, the last one now: )# openssl verify -verbose -CAfile ca.pem 0B.pem 0B.pem: C = DE, ST = Somewhere, O = Manske EIS, OU = Radius_Managment, CN = Smart, emailAddress = user@mail.example error 7 at 0 depth lookup:certificate signature failure 3074770568:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 3074770568:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: 3074770568:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:215: IMHO these patch https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile with +ca.key ca.pem: ca.cnf index.txt serial makes ca.key dependant to the date of index.txt and serial Both files are updated every time a new client cert is build. IMHO. And so, I have a look at the cert generation: # touch serial # make client openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key .+++ ...+++ writing new private key to 'client.key' - openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key .+++ +++ writing new private key to 'ca.key' # touch serial # make client openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key .+++ ..+++ writing new private key to 'ca.key' - and so on ... With this new generated ca.key the older certs are not able to validate anymore. But I do not think, that it is wanted to generate a new ca.key every time, or am I wrong? This looks similar to https://github.com/FreeRADIUS/freeradius-server/commit/7394b88e4725d47727338400665396d3e96ac1a2#raddb/certs/Makefile 69 -server.crt: server.csr ca.key ca.pem index.txt serial 69 +server.crt: server.csr ca.key ca.pem before your patch I made this with an order-only prerequisites | in my private source: server.crt: server.csr ca.key ca.pem | index.txt serial I did this for the mentioned parts now, too ## # # Create a new self-signed CA certificate # ## ca.key ca.pem: ca.cnf | index.txt serial openssl req -new -x509 -keyout ca.key -out ca.pem \ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf and it works: # touch serial # make client openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key .+++ ...+++ writing new private key to 'client.key' - openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf Check that the request matches the signature Signature ok ... # touch serial # make client openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf Check that the request matches the signature Signature ok Certificate Details: even: # touch serial # make ca.key make: `ca.key' is up to date. I hope my thoughts are right and helpfull. Ciao, Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Stephan Manske wrote: Unless the makefile in certs is provided by openssl, but I think this is freeradius stuff, or? The Makefile I pointed to was written by me. It runs OpenSSL scripts to create certificates. It uses sample configurations written by me. It works for *everyone* else. If you didn't use the Makefiles to create the certs, then don't blame FreeRADIUS. If you did use them, then blame OpenSSL for creating certificates it can't read. FreeRADIUS doesn't implement SSL. OpenSSL does. FreeRADIUS doesn't parse certs. OpenSSL does. Is that clear enough? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Stephan Manske wrote: I think I found the issue: ... makes ca.key dependant to the date of index.txt and serial Both files are updated every time a new client cert is build. IMHO. OK. That's a better explanation than FreeRADIUS is wrong. There's a fix on github, which will be in 2.2.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Hi, IMHO these patch https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile with +ca.key ca.pem: ca.cnf index.txt serial you stated earlier that you didnt touch freeradius...that all you did was update OpenSSL to the latest version to be affected by any change to certificate makefiles etc you would have had to update/play with freeradius too. which you stated you didnt do. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Am 23.01.2013, 21:03 Uhr, schrieb Alan DeKok al...@deployingradius.com: Stephan Manske wrote: Unless the makefile in certs is provided by openssl, but I think this is freeradius stuff, or? It works for *everyone* else. If you didn't use the Makefiles to create the certs, then don't blame FreeRADIUS. If you did use them, I do not blame anybody. I have a problem using the makefile, I am only a little user and I tried to figure out, what is the problem. And I found a patch https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile that makes these trouble to me, so I report this. No blame, no offense. FreeRADIUS doesn't implement SSL. OpenSSL does. FreeRADIUS doesn't parse certs. OpenSSL does. Is that clear enough? tell me, if I am wrong: (again, no offense! I do not have the deep look into this stuff, I can only ask questions at my level of understanding the code) the actual makefile has: ca.key ca.pem: ca.cnf index.txt serial this makes ca.key dependant to the date of index.txt and serial. Right? Both files are updated every time a new client cert is build. Right? So, makefile thinks ca.key is outdated and should be renewed. (before the patch, makefile does not care about index.txt and serial) Right? If yes, please read my posting from 19:53:53 benevolently. Thanks, Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
On 01/23/2013 01:53 PM, Stephan Manske wrote: IMHO these patch https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile with +ca.key ca.pem: ca.cnf index.txt serial makes ca.key dependant to the date of index.txt and serial Both files are updated every time a new client cert is build. IMHO. Good catch! Yes, every time you generate a client cert both the database (index.txt) and the serial number file are updated. The database file keeps a record of every cert issued by the CA. The serial file is used so the CA knows the next serial number to use. The cert generation only works once, the next client cert issue causes a new CA key/cert to be generated. But there is another problem as well. The client.cnf file embeds the cert subject name. Apparently the openssl ca command will not update the database if there already is a cert with the same subject, which there will be unless you edit the client.cnf file. This causes the ca command to fail. It doesn't matter if the cert with the duplicate subject has a different serial number. As for why in different circumstances you've seen openssl emit the error about incomplete data my best guess is the client files might have be corrupted when the ca command failed. If it were only a CA key change issue you should have just gotten a bad signature verification failure. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Am 23.01.2013, 21:13 Uhr, schrieb Alan DeKok al...@deployingradius.com: Stephan Manske wrote: I think I found the issue: ... makes ca.key dependant to the date of index.txt and serial Both files are updated every time a new client cert is build. IMHO. OK. That's a better explanation than FreeRADIUS is wrong. There's a fix on github, which will be in 2.2.1. ca.key ca.pem: ca.cnf @[ -f index.txt ] || $(MAKE) index.txt @[ -f serial ] || $(MAKE) serial openssl req -new -x509 -keyout ca.key -out ca.pem \ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf I am only a make noob, but is there a reason not to use order-only-prerequisites? Occasionally, however, you have a situation where you want to impose a specific ordering on the rules to be invoked without forcing the target to be updated if one of those rules is executed. In that case, you want to define order-only prerequisites. Order-only prerequisites can be specified by placing a pipe symbol (|) in the prerequisites list: any prerequisites to the left of the pipe symbol are normal; any prerequisites to the right are order-only: targets : normal-prerequisites | order-only-prerequisites Does this work with specific make commands only? So you cannot use it in freeradius to be compatible? Ciao, Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Am 23.01.2013, 21:23 Uhr, schrieb a.l.m.bu...@lboro.ac.uk: IMHO these patch https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile with +ca.key ca.pem: ca.cnf index.txt serial you stated earlier that you didnt touch freeradius...that all you did was update OpenSSL to the latest version to be affected by any change to certificate makefiles etc you would have had to update/play with freeradius too. which you stated you didnt do. yes, I updated my freeradius installation to 2.2.0. But I did this _months_ ago. My fault, not to think about an update months ago. Really sorry. So, it was a coexistence: all worked fine, then I updated openssl, made a new client certificate to test it (unfortunately the first time for months) and from now on my older certificates gave me ssl errors. So it looks to me that there a relation to this ssl update. Ciao, Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Stephan Manske wrote: Does this work with specific make commands only? So you cannot use it in freeradius to be compatible? It only works with GNU Make. Version 3 has a new build system, which requires GNU Make. It could be done there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
suddenly problem with certificates / error in SSLv3 read client certificate B
Hello!
I have a huge problem with freeradius 2.2.0 on my eisfair server
(www.eisfair.org) and users using certificates to authenticate.
first of all: this should not be a how must I config my freeradius to
work? problem. These installation with these certificates and these
config worked for over 8 month very well. And suddenly I got the problem.
Every client with user/pass works still fine.
The problem is about the users with certificates (windows xp and android).
the certificates are not outdated:
list of active certificates:
V 13-01-28 13:16:17 Z 01 unknown
/C=DE/ST=Somewhere/O=Manske EIS/OU=Radius_Managment/CN=Manske
Radius/emailAddress=xxx
(the server certificate)
V 14-02-17 13:16:54 Z 02 unknown
/C=DE/ST=Somewhere/O=Manske EIS/OU=Radius_Managment/CN=User
Name/emailAddress=xxx
(one of the problematic user certificates)
I tried it with check_crl = yes and no
changes before the problem occurs: I updated openssl-packages from
Internal Program Version: OpenSSL 1.0.0j
also included the old version 0.9.7m
also included the old version 0.9.8x
to
Internal Program Version: OpenSSL 1.0.1c
also included the old version 0.9.8x
But I did this over three days before the errors occured. In the meantime
freeradius worked well.
So, here is a shorten output of radiusd -X (I hope I do not shorten
important things - btw, are there parts of such an debug output I should
keep secret?)
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2,
length=141
User-Name = User Name
NAS-IP-Address = 192.168.x.x
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = User Name, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files] expand: Hello, %{User-Name} - Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = Hello, User Name
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00xx
State = 0x7d1f9f227c1d92c8e39x
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2,
length=227
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files] expand: Hello, %{User-Name} - Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] TLS 1.0 Handshake [length 0048], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] TLS 1.0 Handshake [length 08bb], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] TLS 1.0 Handshake [length 00b8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] TLS 1.0 Handshake [length 0048], ClientHello
[tls] TLS_accept
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Stephan Manske wrote: first of all: this should not be a how must I config my freeradius to work? problem. These installation with these certificates and these config worked for over 8 month very well. And suddenly I got the problem. OK. changes before the problem occurs: I updated openssl-packages from Internal Program Version: OpenSSL 1.0.0j also included the old version 0.9.7m also included the old version 0.9.8x to Internal Program Version: OpenSSL 1.0.1c That might be the issue. It's hard to say. SSL is magic. But I did this over three days before the errors occured. In the meantime freeradius worked well. Maybe there's one client which *didn't* get login until after 3 days. So, here is a shorten output of radiusd -X (I hope I do not shorten important things - btw, are there parts of such an debug output I should keep secret?) Passwords, shared secrets. [tls] -- verify return:1 -- verify error:num=7:certificate signature failure [tls] TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus That's an SSL error. It looks like the certificate being presented is wrong, or the client has made a mistake in SSL. I would suggest manually verifying the certificates using the openssl command-line tool. It may be that the signatures are broken. And the OpenSSL upgrade added code which checked for that, where the older version of OpenSSL didn't check. For SSL issues, we're completely at the mercy of OpenSSL. If it says bad certificate, then no amount of poking FreeRADIUS will make it work. You've just got to create good certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok al...@deployingradius.com: Stephan Manske wrote: to Internal Program Version: OpenSSL 1.0.1c That might be the issue. It's hard to say. SSL is magic. But I did this over three days before the errors occured. In the meantime freeradius worked well. Maybe there's one client which *didn't* get login until after 3 days. regrettably no. All my certificate clients are affected. And there is at least one, namely my android, which connects every day. And this one has no problems for 3 days after update, and now it has the problem. So, here is a shorten output of radiusd -X (I hope I do not shorten important things - btw, are there parts of such an debug output I should keep secret?) Passwords, shared secrets. What is about all this stuff: EAP-Message = 0x010304000dc009b3160301003102 State = 0x7d1f9f227f1c92c8e3xx and so on? [tls] -- verify return:1 -- verify error:num=7:certificate signature failure [tls] TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus That's an SSL error. It looks like the certificate being presented is wrong, or the client has made a mistake in SSL. Am I right when I suggest this certificate B is the CA certificate? The certificate A has no problems (in the majority of cases I found via google cert A was the problem). I would suggest manually verifying the certificates using the openssl command-line tool. It may be that the signatures are broken. any hint where I can found more to read about what I should test? Which parameters I have to use with openssl command? And the OpenSSL upgrade added code which checked for that, where the older version of OpenSSL didn't check. For SSL issues, we're completely at the mercy of OpenSSL. If it says bad certificate, then no amount of poking FreeRADIUS will make it work. You've just got to create good certificates. And there is no way to tell freeradius to tell openssl to give more debug informations in this moment? Ciao, Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Am 22.01.2013, 23:44 Uhr, schrieb Alan DeKok al...@deployingradius.com: Stephan Manske wrote: any hint where I can found more to read about what I should test? Which parameters I have to use with openssl command? See raddb/certs/Makefile, it's all there. OK, and I will try my luck at Openssl community. And there is no way to tell freeradius to tell openssl to give more debug informations in this moment? That *is* all of the information OpenSSL can provide. :-( Thanks, Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
Stephan Manske wrote: regrettably no. All my certificate clients are affected. And there is at least one, namely my android, which connects every day. And this one has no problems for 3 days after update, and now it has the problem. Well, it's not a FreeRADIUS issue. The error is in the SSL code, or in the certificates. What is about all this stuff: EAP-Message = 0x010304000dc009b3160301003102 State = 0x7d1f9f227f1c92c8e3xx and so on? There's nothing secret in that. Am I right when I suggest this certificate B is the CA certificate? I'm not really sure... the OpenSSL messages are vague. The certificate A has no problems (in the majority of cases I found via google cert A was the problem). I would suggest manually verifying the certificates using the openssl command-line tool. It may be that the signatures are broken. any hint where I can found more to read about what I should test? Which parameters I have to use with openssl command? See raddb/certs/Makefile, it's all there. And there is no way to tell freeradius to tell openssl to give more debug informations in this moment? That *is* all of the information OpenSSL can provide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
distinguish between revoked and expired certificates
Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one? As in both cases the certificate is invalid, I suppose the answer is no. The probably best way would be to organize the the renewal of certificates appropriately. With best regards, Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distinguish between revoked and expired certificates
On 09/07/2012 10:05 AM, Wegener, Norbert wrote: Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one? As in both cases the certificate is invalid, I suppose the answer is no. If it's even possible, I think this might need changes to the verify callback in the source code, as well as various SSL options setting. However, you might have a look at the code in HEAD that was added to send the TLS cert details to a virtual server for authorisation; if you were going to do it anywhere, that would be the place to do it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distinguish between revoked and expired certificates
Wegener, Norbert wrote: Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one? As in both cases the certificate is invalid, I suppose the answer is no. Both will cause Access-Reject. :) The probably best way would be to organize the the renewal of certificates appropriately. Yes. And that can be hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to Disable on Iphone and MAC OSX Clients use of Certificates
Hi, I use on Bufallo Router the Freeradius Server future and all works well with Certificates, but sometimes after router reboot some clients can’t login in the Network if Certificate used. If I disable the certificate check on windows I can login without Certificate but on new Macbook and Iphone I can’t disable Certificate check. Has anyone idea what I can do? and is this dangerous to communicate in Wlan without Certificate check activated? Can the Wlan without use of Certificate easy be hacked? Best Regards Nedi -- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Disable on Iphone and MAC OSX Clients use of Certificates
Hello, Nedi n...@gmx.ch hat am 9. Juli 2012 um 13:24 geschrieben: Hi, I use on Bufallo Router the Freeradius Server future and all works well with Certificates, but sometimes after router reboot some clients can’t login in the Network if Certificate used. If I disable the certificate check on windows I can login without Certificate but on new Macbook and Iphone I can’t disable Certificate check. Has anyone idea what I can do? and is this dangerous to communicate in Wlan without Certificate check activated? Thats a bad idea, anyone can setup a Rogue AP with your WLAN SID in your Network and collect the authentication trials of the users. Server Certificate is a MUST ! Don't disable the checks. Don't talk to strangers. Can the Wlan without use of Certificate easy be hacked? Yes. Best Regards Nedi - It's seems strange to me, that a router reboot causes the Freeradius-Servercert to fail. Debugoutput ? Patrick Machauer attachment: PatrickMachauer.vcf- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blackberry disabled server certificates query
Apologies for reviving an old thread, but we have a response from RIM regarding this issue. The problem is with the version of OpenSSL on phone models 9360, 9380, and 9790. For full details, see: http://blackberry.com/btsc/kb29914 The workaround reads Turn off secure renegotiation on the RADIUS server Regards, Dave -- View this message in context: http://freeradius.1045715.n5.nabble.com/Blackberry-disabled-server-certificates-query-tp5159946p5615207.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Creating Certificates for EAP
Hi, I am trying to create certificates in Freeradius going inside /usr/local/etc/raddb/certs. I need these certificates for EAP-TTLS authentication for wireless access points. As suggested in deployingradius.com and README inside /usr/local/etc/raddb/certs; I tried to create Test Certificates for testing purpose at first. I tried the command make inside /usr/local/etc/raddb/certs, but it doesn't do anything, i.e. doesn't show any certificates building. Also I tried ./bootstrap going inside the same certs directory; it also doesn't do anything. I don't see any certificates like root CA that has been built after I run make or ./bootstrap command inside certs directory. I have already installed openssl in my machine with freebsd in which freeradius server is installed. Is there anything I am missing? Your suggestions would be greately appreciated. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564660.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
suggestme wrote: Also I tried ./bootstrap going inside the same certs directory; it also doesn't do anything. Running a shell script doesn't work? It doesn't generate errors? Your OS is completely broken. Or, *something* happened, and you ignored it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
Hi, Normally your bootstrap script runs make command first, if make is not supported then it runs the script. Script creates 1. random , 01.pem ca.pem server.pem other files in different format. If your opessl command is not working properly or you have some .cnf file missing in the directory then the script will exit with status 1. you first try , openssl dhparam -out dh 1024 see if dh file is created or not ,to check that you have openssl installed correctly. Regards, Prateek When you run you boots On Wed, Mar 14, 2012 at 6:49 PM, suggestme suggest...@hotmail.com wrote: Hi, I am trying to create certificates in Freeradius going inside /usr/local/etc/raddb/certs. I need these certificates for EAP-TTLS authentication for wireless access points. As suggested in deployingradius.com and README inside /usr/local/etc/raddb/certs; I tried to create Test Certificates for testing purpose at first. I tried the command make inside /usr/local/etc/raddb/certs, but it doesn't do anything, i.e. doesn't show any certificates building. Also I tried ./bootstrap going inside the same certs directory; it also doesn't do anything. I don't see any certificates like root CA that has been built after I run make or ./bootstrap command inside certs directory. I have already installed openssl in my machine with freebsd in which freeradius server is installed. Is there anything I am missing? Your suggestions would be greately appreciated. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564660.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
I tried: openssl dhparam -out dh 1024 as you suggested and dh file is created as below: #openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...+...++...+...+...+.+++...+..+..+.+.++*++*++* Inside Dh file I can see: -BEGIN DH PARAMETERS- MIGHAoGBAKUwai2pBXG3jEBbBRk08wDTE+l0m6USXQcq5AF1FMM/3RxFOZvfgotu qEqQJAYvUawmG2JScnPqPNeP2kHOCPyGrtCgAeXXKu0kbN8liniRLWpvUoy9LlJE XMr0RyuNUJFUvnBdGL8Hup5X7pqIezIKTpvrgGmnNze+tytw8ZkjAgEC -END DH PARAMETERS- *Does this mean my OpenSSL is ok?* I have used make install to install ports in freebsd and this command works and everything is working good till now. I have already configured Freeradius for the users in Active directory; everything is working perfect for other authentications method. Should I try make install command instead of make or ./bootstrap going inside /usr/local/etc/raddb/certs directory? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564962.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificates not working
Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls I checked the permissions of the server.key file and it is the same as all the other stuff in that directory. Can anyone tell me what this error means? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Just to get the server running, I tried moving all the things out of that directory, then doing the ./bootstrap thing and it still gives that error when trying to start the server. -Scott On 3/14/12 3:44 PM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls I checked the permissions of the server.key file and it is the same as all the other stuff in that directory. Can anyone tell me what this error means? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Scott McLane Gardner wrote: Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file The password to the key file is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
On 3/14/12 4:05 PM, Alan DeKok al...@deployingradius.com wrote: Scott McLane Gardner wrote: Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file The password to the key file is wrong. Alan DeKok. Doesn't it just use server.cnf to set the password for the key and the CSR? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Scott McLane Gardner wrote: Doesn't it just use server.cnf to set the password for the key and the CSR? To *make* the certificates, yes. For EAP, you need to configure the passwords in eap.conf. This is documented. server.cnf is an OpenSSL configuration file. FreeRADIUS doesn't read OpenSSL configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Hi, Doesn't it just use server.cnf to set the password for the key and the CSR? server.cnf is for openSSL - applications such as FreeRADIUS and Apache have their own configuration files for private certificate keys etc - eap.conf in your case alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
FreeRADIUS doesn't read OpenSSL configuration files. Alan DeKok. Gosh, I feel like a dummy. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
check if u r having server.cnf, ca.cnf client.cnf in certs directory. If yes run bootstrap , to make client cert run make client. On Wed, Mar 14, 2012 at 8:09 PM, suggestme suggest...@hotmail.com wrote: I tried: openssl dhparam -out dh 1024 as you suggested and dh file is created as below: #openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...+...++...+...+...+.+++...+..+..+.+.++*++*++* Inside Dh file I can see: -BEGIN DH PARAMETERS- MIGHAoGBAKUwai2pBXG3jEBbBRk08wDTE+l0m6USXQcq5AF1FMM/3RxFOZvfgotu qEqQJAYvUawmG2JScnPqPNeP2kHOCPyGrtCgAeXXKu0kbN8liniRLWpvUoy9LlJE XMr0RyuNUJFUvnBdGL8Hup5X7pqIezIKTpvrgGmnNze+tytw8ZkjAgEC -END DH PARAMETERS- *Does this mean my OpenSSL is ok?* I have used make install to install ports in freebsd and this command works and everything is working good till now. I have already configured Freeradius for the users in Active directory; everything is working perfect for other authentications method. Should I try make install command instead of make or ./bootstrap going inside /usr/local/etc/raddb/certs directory? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564962.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blackberry disabled server certificates query
hi, just to revisit this recent thread. Was at a site who were implementing 802.1X authentication and they noted the Blackberry issue - some devices okay, others not... the FreeRADIUS server was configured to have the WHOLE CA chain of certs (root, intermediate,server signer and server cert) in the certificate_file entry in eap.conf and all of the blackberries tested (os4 and os5 etc) then worked with 'check certificate' enabled. the devices had the root CA on them but if the other certs werent delivered from the server then the devices didnt want to authenticate - likely to be how the chain is handled by the device - especially as they were very fussy about what was in the CA store. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
Your problem is going to be distributing the server cert to the clients NOT distributing client Maybe I've missed something here, but why will he need to distribute a cert to clients? If the certificate you use on your RADIUS server is signed by a known CA-in which case the client should already have the relevant root certificate and so will trust the certificate presented by the server. This is assuming he is using certificates for confirming identity of the server, not for EAP-TLS etc. Cheers, Mark On 6 Jan 2012, at 21:43, Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote: It may be a misunderstanding on my part but I believe any encrypted protocol would need a cert of some sort. PEAP is an encrypted tunnel thus you will need a cert. FR will generate its own certs for testing but for production you should generate your own. We are making the move to 802.1x in the next few months and will be using a self-signed cert on the FR server and deploying it to the users' machines via a third party tool from a company called cloud path. Suffice it to say that windows Vista and beyond MUST have the server cert installed or be configured to ignore server certs before you can use any encrypted protocol (such as, PEAP). It WILL NOT work out-of-the-box! XP would show you a dialogue box with a warning but that functionality is gone in Vista and 7. MAC OS and Linux will still allow you to download the cert and install it on first use, windows will not. Your problem is going to be distributing the server cert to the clients NOT distributing client certs (unless you are using EAP/TLS or the like), as mentioned before AD makes this easy via GPO / login scripts. However if you clients are not part of your domain then you have very few choices. 1) Roll your own program to install the cert for them 2) Buy a solution to install the cert (like cloud path) 3) issue instructions to the clients and have them install the certs manually 4) go around and install all the certs your self There a pros and cons for each. BTW for security reasons you should use a self-signed cert, that being the case you can make the cert valid for 99 years, then revoke it when you have time to redistribute them ; ) Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 3:07 PM To: FreeRadius users mailing list Subject: RE: Distributing Certificates I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearl jmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every
Blackberry disabled server certificates query
Hi We are testing various deivces with our new eduroam wirelss and so far so good. However, an issue cropped up with blackberrys where during the setup, if you leave the box unchecked disable server certificate validation then the blackberry connects fine if you uncheck connection fails failed to connect. I have checked other institutions and they have conflicting guides some say leave it checked others say uncheck. Can anyone advise the status - to check or uncheck? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Blackberry-disabled-server-certificates-query-tp5159946p5159946.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
On 01/20/2012 08:16 AM, Mark Holmes wrote: Your problem is going to bedistributing the server cert to theclients NOT distributing client Maybe I've missed something here, but why will he need to distribute a cert to clients? If you're using a private CA for signing the radius server certs, which is generally cited as best practice because it provides belt braces; in the event a client does not learn subsequently re-check the cert CN, a public CA would allow an attacker to impersonate your SSID. A private CA does not. Some people (us included) choose to use a public CA and accept the risk, in return for significantly easier deployment. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blackberry disabled server certificates query
if you leave the box unchecked disable server certificate validation then the blackberry connects fine if you uncheck connection fails failed to connect. You wrote, ...if you leave it unchecked... (it)... connects fine if you uncheck (it the) connection fails??? Did you mean to say if you leave it *checked* it connects fine?? If so, checking the box is telling your Blackberry NOT to validate the RADIUS server's certificate. If you don't validate the certificate, there's a risk that you could be passing your credentials to an untrusted RADIUS server (if someone impersonates your wireless network name). Best practice, for RADIUS, is to use a cert generated from a private CA that you control, or at least trust. In this case, you would need to configure your Blackberry's to validate that the certificate is signed by the CA you expect (which means they would need the CA's cert installed - I assume this is possible with Blackberry's, but I don't own one and I don't know how difficult it is to distribute a cert to the Blackberry's or how many you have). You need to decide whether to accept the risk or not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blackberry disabled server certificates query
lmgo5991 wrote: We are testing various deivces with our new eduroam wirelss and so far so good. However, an issue cropped up with blackberrys where during the setup, if you leave the box unchecked disable server certificate validation then the blackberry connects fine if you uncheck connection fails failed to connect. I have checked other institutions and they have conflicting guides some say leave it checked others say uncheck. Can anyone advise the status - to check or uncheck? It should always validate the server certificate. The reason it's failing is probably because you didn't put the correct certificate on the blackberry. You need to do that. See my EAP guide: http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blackberry disabled server certificates query
We have endless amounts of trouble connecting Blackberrys, they are hateful things. Some devices will use the certificate, some won't connect unless cert validation is disabled. Some don't have the option to disable cert checking, and some won't connect at all. For a essentially single vendor device they have the most varied and random configuration idiosyncrasies between devices, even of the same model. Due to this variance we no longer try to offer online support for them, users are asked to bring them in to be looked at (and hacked at) to connect them. But yes, if possible you want to be enforcing cert validation, but in practice it's not always possible. -Original Message- From: freeradius-users- bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of Garber, Neal Sent: 20 January 2012 11:13 To: 'FreeRadius users mailing list' Subject: RE: Blackberry disabled server certificates query if you leave the box unchecked disable server certificate validation then the blackberry connects fine if you uncheck connection fails failed to connect. You wrote, ...if you leave it unchecked... (it)... connects fine if you uncheck (it the) connection fails??? Did you mean to say if you leave it *checked* it connects fine?? If so, checking the box is telling your Blackberry NOT to validate the RADIUS server's certificate. If you don't validate the certificate, there's a risk that you could be passing your credentials to an untrusted RADIUS server (if someone impersonates your wireless network name). Best practice, for RADIUS, is to use a cert generated from a private CA that you control, or at least trust. In this case, you would need to configure your Blackberry's to validate that the certificate is signed by the CA you expect (which means they would need the CA's cert installed - I assume this is possible with Blackberry's, but I don't own one and I don't know how difficult it is to distribute a cert to the Blackberry's or how many you have). You need to decide whether to accept the risk or not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blackberry disabled server certificates query
One of the annoying features of Blackberry devices is that the descriptions of the same CA certificate varies from device to device. Some devices, like my Storm2, seem to validate the CA even when that checkbox is selected. Since there are lots of CAs installed on Blackberry phones, setting up EAP can take a while as you go through the several certs which match your CA. Palmer J.D.F. j.d.f.pal...@swansea.ac.uk wrote: We have endless amounts of trouble connecting Blackberrys, they are hateful things. Some devices will use the certificate, some won't connect unless cert validation is disabled. Some don't have the option to disable cert checking, and some won't connect at all. For a essentially single vendor device they have the most varied and random configuration idiosyncrasies between devices, even of the same model. Due to this variance we no longer try to offer online support for them, users are asked to bring them in to be looked at (and hacked at) to connect them. But yes, if possible you want to be enforcing cert validation, but in practice it's not always possible. -Original Message- From: freeradius-users- bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of Garber, Neal Sent: 20 January 2012 11:13 To: 'FreeRadius users mailing list' Subject: RE: Blackberry disabled server certificates query if you leave the box unchecked disable server certificate validation then the blackberry connects fine if you uncheck connection fails failed to connect. You wrote, ...if you leave it unchecked... (it)... connects fine if you uncheck (it the) connection fails??? Did you mean to say if you leave it *checked* it connects fine?? If so, checking the box is telling your Blackberry NOT to validate the RADIUS server's certificate. If you don't validate the certificate, there's a risk that you could be passing your credentials to an untrusted RADIUS server (if someone impersonates your wireless network name). Best practice, for RADIUS, is to use a cert generated from a private CA that you control, or at least trust. In this case, you would need to configure your Blackberry's to validate that the certificate is signed by the CA you expect (which means they would need the CA's cert installed - I assume this is possible with Blackberry's, but I don't own one and I don't know how difficult it is to distribute a cert to the Blackberry's or how many you have). You need to decide whether to accept the risk or not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
Hi, If you're using a private CA for signing the radius server certs, which is generally cited as best practice because it provides belt braces; in the event a client does not learn subsequently re-check the cert CN, a public CA would allow an attacker to impersonate your SSID. A private CA does not. Some people (us included) choose to use a public CA and accept the risk, in return for significantly easier deployment. private CA pros -under full control of organisation -the organisation only can sign servers -for 802.1X your clients only need to trust your server - closed loop. so why use public? cons -CA management - skillset, can someone do the same in X years? -distribution of the CA to the client Public CA pros -most clients have the CA already present -no need to learn about CA/PKI to such low level cons -under whims of the CA and their issues (recall the dutch CAs now revoked and now invalid) -under whims of the remote CA policy (changing from being a root to intermediate) -anyone can buy a certificate from a CA -distribution - some CAs arent on clients..so you need to distribute it anyway personal opinion CA distribution was always the issue for private CA - but most sites now go for using a deployment tool of some kind to get clients set up - and all of them can deal with installing a CA, so thats a problem gone. the system is closed-loop, visitors never need to trust your RADIUS server cert...only your own folk do - so why use public in this space? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
On 01/20/2012 02:36 PM, Alan Buxey wrote: CA distribution was always the issue for private CA - but most sites now go for using a deployment tool of some kind to get clients set up - and all of them can deal with installing a CA, so thats a problem gone. the system is closed-loop, visitors never need to trust your RADIUS server cert...only your own folk do - so why use public in this space? Couple of things to note: Firstly, *if* you are using a public CA you should try very, very hard to ensure your clients are checking the cert CN. This somewhat alleviates the anyone can buy a cert risk. Secondly, there's not much point in going for a super cheap public CA. You only need one cert, and don't need very esoteric options like EV or multiple subjectAltNames. This keeps the cost reasonably sane, and therefore you might as well shell out for a Verisign (or similar) one. Doing that gives you a slightly better chance the CA will not hand out random crap to attackers, and *much* better probability the CA will be present on clients already. You mention most sites use a deployment tool. I'd be interested to see numbers on that, but it's probably OT for the list. As I've said previously - people thinking of using a public CA should be very sure they understand and accept the risks. I agree the safe default is to use a private CA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Distributing Certificates
Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearl jmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
If you PCs are all Windows, and they are all member of an AD domain (or subdomains), use PEAP with machine auth (or machine+user auth). It is much less painful than deploy 600 client certificates. PEAP also works with Mac OSZ and Linux box using user authentication. On 12-01-06 1:44 PM, David Mitton wrote: You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearl jmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearl jmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
I mean, if you refer to the validate server certificate option, you will need to have a CA installed on the RADIUS side (probably your domain CA), then generate a server certificate signed with the CA for RADIUS, but you only need to install the CA on the machines, not client certs. That can be easily done using a GPO like others said. Unless you want to do EAP-TLS, but that's another story. On 12-01-06 4:07 PM, McSparin, Joe wrote: I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearljmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
Hi, I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? 2 ways of using certs. 1) using them for authentication (eg EAP-TLS) 2) using them to validate that the RADIUS server is the one you really want to be talking to i guess you want the later - in this case, you need to either have a RADIUS server signed by a CA that is present already in the OS (eg signed by one of the well known names) or you need to put the CA onto your client. either way, the client really should be configured (in its 802.1X settings) to validate the RADIUS server 'name' (via the Common name in the RADIUS server cert) and the CA. there can be a whole advocacy thread about whether to go for self-signed cert and local CA or to go with known CAs - theres pros and cons in both wayswith your OWN CA you can decide the length of time the CA and cert are valid for...you control the CA and noone can pay to get a server signed by your CA - unless you've got major internal corruption issues ;-) - but you've got to get it deployed. if you choose a known CA... well, anyone can get a cert signed by a known CA if they pay the moneyso you REALLY need to check the CN of the RADIUS server... you are also a slave to the CA and its reputation.. until recently that wasnt too bad but with the couple of Dutch CAs that have been removed from OSes..that could have been quite awkward if they'd signed your server cert... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
It may be a misunderstanding on my part but I believe any encrypted protocol would need a cert of some sort. PEAP is an encrypted tunnel thus you will need a cert. FR will generate its own certs for testing but for production you should generate your own. We are making the move to 802.1x in the next few months and will be using a self-signed cert on the FR server and deploying it to the users' machines via a third party tool from a company called cloud path. Suffice it to say that windows Vista and beyond MUST have the server cert installed or be configured to ignore server certs before you can use any encrypted protocol (such as, PEAP). It WILL NOT work out-of-the-box! XP would show you a dialogue box with a warning but that functionality is gone in Vista and 7. MAC OS and Linux will still allow you to download the cert and install it on first use, windows will not. Your problem is going to be distributing the server cert to the clients NOT distributing client certs (unless you are using EAP/TLS or the like), as mentioned before AD makes this easy via GPO / login scripts. However if you clients are not part of your domain then you have very few choices. 1) Roll your own program to install the cert for them 2) Buy a solution to install the cert (like cloud path) 3) issue instructions to the clients and have them install the certs manually 4) go around and install all the certs your self There a pros and cons for each. BTW for security reasons you should use a self-signed cert, that being the case you can make the cert valid for 99 years, then revoke it when you have time to redistribute them ; ) Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 3:07 PM To: FreeRadius users mailing list Subject: RE: Distributing Certificates I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearl jmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any
Not sending all trusted CA Certificates in EAP-TLS Server Hello
Hi!
We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
working, but after seeing a tcpdump, the Radius Server is sending all known
CA Certificates to the Client during EAP TLS Negotiation.
Our Config looks like this:
private_key_file = ${certdir}/radius_server.key
Containing the private Key of the Radius Server
certificate_file = ${certdir}/radius_server.crt
This contains the radius certificate and the corresponding self-signed
CA certificate.
CA_file = ${cadir}/trusted_ca.pem
Contains different sub-CA certifikates and the self-signed root
certificate of the sub-CA used to issue client certs (!= server cert)
During EAP-TLS negotiation the Radius Server sends all known certificates
(the ones in the certificate_file and the one in the CA_file) to the client.
Is it possible to change the behaviour that only the certs in the
certificate_file are used?
This should be enough for the clients to verify the server certificate.
--
Regards
Daniel Finger
smime.p7s
Description: S/MIME Kryptografische Unterschrift
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not sending all trusted CA Certificates in EAP-TLS Server Hello
Daniel Finger wrote:
We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
working, but after seeing a tcpdump, the Radius Server is sending all known
CA Certificates to the Client during EAP TLS Negotiation.
That's largely how EAP-TLS works.
CA_file = ${cadir}/trusted_ca.pem
Contains different sub-CA certifikates and the self-signed root
certificate of the sub-CA used to issue client certs (!= server cert)
During EAP-TLS negotiation the Radius Server sends all known certificates
(the ones in the certificate_file and the one in the CA_file) to the client.
Is it possible to change the behaviour that only the certs in the
certificate_file are used?
Use CA_path instead of CA_file. That might help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not sending all trusted CA Certificates in EAP-TLS Server Hello
Hi! As far as I can see the Server does not send the full certificates, but only announces the certificates the server knows. I did not read the RFC yet, but I assume that this only informs the client which certificates can be requested to verify the server certificate chain. Am 04.01.2012 15:09, schrieb Alan DeKok: Is it possible to change the behaviour that only the certs in the certificate_file are used? Use CA_path instead of CA_file. That might help. It does indeed help. Thanks! -- Regards Daniel Finger smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it Possible to use FreeRadius without certificates
I would like to just have freeRadius authenticate against my active directory in windows using only the user name and password in Active Directory for authentication. Is this possible to do I don't want to have to mess with installing certificates on the user machines or the server. Is this possible? Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it Possible to use FreeRadius without certificates
McSparin, Joe wrote: I would like to just have freeRadius authenticate against my active directory in windows using only the user name and password in Active Directory for authentication. Is this possible to do I don't want to have to mess with installing certificates on the user machines or the server. Is this possible? Yes. See the existing documentation in the server and on the wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it Possible to use FreeRadius without certificates
On Tue, Dec 27, 2011 at 3:42 AM, McSparin, Joe jmcspa...@hillcountrymemorial.org wrote: I would like to just have freeRadius authenticate against my active directory in windows using only the user name and password in Active Directory for authentication. Is this possible to do I don't want to have to mess with installing certificates on the user machines or the server. Is this possible? Should be possible, but that means you won't be able to use EAP or 802.1x. If you only use plain PAP/MSCHAP anyway, it should work. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error when trying to create certificates
It's a package add from FreeBSD ports. I'll try reinstalling it on another machine and see where it puts it. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 22, 2011 5:46 PM To: FreeRadius users mailing list Subject: Re: Error when trying to create certificates McSparin, Joe wrote: It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. Find out who created the packaged (RPM, DEB, etc.) for your system, and file a bug. The default distribution ships the xpextensions file in the /etc/raddb/certs/ directory for a reason. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error when trying to create certificates
On Fri, Dec 23, 2011, at 08:52, McSparin, Joe wrote: It's a package add from FreeBSD ports. I'll try reinstalling it on another machine and see where it puts it. http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/freeradius2/files/pkg-message.in?rev=1.2;content-type=text%2Fplain -- Herbert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error when trying to create certificates
It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Thursday, December 22, 2011 1:18 AM To: FreeRadius users mailing list Subject: Re: your mail Hi, Keep getting this error message when running make in my /raddb/certs directory I reinstalled openssl but to no avail. Any thoughts? /usr/bin/openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf ERROR: loading the config file 'xpextensions' does the 'xpextensions' file exist in your raddb/certs directory? does it have useful permissions? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error when trying to create certificates
McSparin, Joe wrote: It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. Find out who created the packaged (RPM, DEB, etc.) for your system, and file a bug. The default distribution ships the xpextensions file in the /etc/raddb/certs/ directory for a reason. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error when trying to create certificates
McSparin, Joe wrote: It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. That's weird. What OS/distro is this? OS packages would usualy put them in /usr/share/doc/freeradius/examples/certs (or similar). Certainly NOT in /usr/local. Is this a package, or self-compiled? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question at certificates
Hi, I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question at certificates
Andreas Rudat wrote: I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? That's how they work. Ask Microsoft why they designed their system that way. We have no idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows (7) Machine Certificates (Half Domain).
On 10/15/2011 2:46, Phil Mayers wrote: On 10/15/2011 03:17 AM, Christ Schlacta wrote: I've got a handful of windows clients. I'm most concerned about the Windows 7 machines, but there are a few Vista, and even an XP client. I want to deploy Machine account certificates for wifi authentication, so machines will be able to connect to the network BEFORE the user logs on (mainly for accessing remote shares), but only some of these machines are connected to the local DOMAIN (Samba 3, not overly relevant I don't Pre-logon auth has proven troublesome for other people, if the clients aren't full domain members. You may find this tricky to get working. As for the certs - I assume you have a working certificate for a domain member? Extract it, and examine the cert CAREFULLY, including all extension OIDs. Ensure the ones you're generating for the non-domain members have exactly the same attributes (except CN of course). You're right that it's off-topic, but what's really tragic is that Microsoft don't a) document and b) provide troubleshooting tools for their supplicant behaviour. It's a key bit of network AAA infrastructure, and it's damn inscrutable. Most of the other forums around the internet, including Microsofts own, contain ill-informed nonsense. I'm wondering if we should have a 8021x-client-admins forum somewhere... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I can get it working for neither domain members nor non-domain members. as I'm using a Samba 3 domain, I've got no mechanism to deploy certificates in a way windows is expecting, nor can I identify any sufficient documentation to do so. If anyone on list DOES have working certs for domain members, I'd much appreciate if you could post as much info as you can without compromising security. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows (7) Machine Certificates (Half Domain).
On 10/15/2011 03:17 AM, Christ Schlacta wrote: I've got a handful of windows clients. I'm most concerned about the Windows 7 machines, but there are a few Vista, and even an XP client. I want to deploy Machine account certificates for wifi authentication, so machines will be able to connect to the network BEFORE the user logs on (mainly for accessing remote shares), but only some of these machines are connected to the local DOMAIN (Samba 3, not overly relevant I don't Pre-logon auth has proven troublesome for other people, if the clients aren't full domain members. You may find this tricky to get working. As for the certs - I assume you have a working certificate for a domain member? Extract it, and examine the cert CAREFULLY, including all extension OIDs. Ensure the ones you're generating for the non-domain members have exactly the same attributes (except CN of course). You're right that it's off-topic, but what's really tragic is that Microsoft don't a) document and b) provide troubleshooting tools for their supplicant behaviour. It's a key bit of network AAA infrastructure, and it's damn inscrutable. Most of the other forums around the internet, including Microsofts own, contain ill-informed nonsense. I'm wondering if we should have a 8021x-client-admins forum somewhere... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows (7) Machine Certificates (Half Domain).
I've got a handful of windows clients. I'm most concerned about the Windows 7 machines, but there are a few Vista, and even an XP client. I want to deploy Machine account certificates for wifi authentication, so machines will be able to connect to the network BEFORE the user logs on (mainly for accessing remote shares), but only some of these machines are connected to the local DOMAIN (Samba 3, not overly relevant I don't think). What I would like to know is what should, or must, or what have you, the CN or DN attribute on the certificates for these systems look like to be used for machine authentication. I've tried just placing certificates with cn=hostname,... to the certificate store for the machine account, but they're never used, and the machine complains about not having a certificate when I try t connect to wifi. Also, most of these machines are wifi, though I plan to deploy radius on the switch soon (once the machine auth with wifi is working). I know this is a little off topic, but as it all relates to radius, I hope someone here will know the proper answer(s) or where to find clear concise documentation explaining this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
rdeboer wrote: I already enabled said option, the only problem is that this doesn't enforce the use of PEAP with a client certificate, as the TLS module is enabled and configured, it allows you to log in with just a client certificate using TLS. What I want is to enforce the use of not just TLS but PEAP with a client cert. The solution is to disable EAP-TLS by disallowing it. In the users file, do: DEFAULT EAP-Type == EAP-Type-TLS, Auth-Type := Reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
So a few weeks later and still not much further.. Has anyone got an idea how I could force PEAP sessions to supply client a client certificate? -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3289077.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
rdeboer wrote: So a few weeks later and still not much further.. Has anyone got an idea how I could force PEAP sessions to supply client a client certificate? Read raddb/eap.conf. Look for client cert Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
I already enabled said option, the only problem is that this doesn't enforce the use of PEAP with a client certificate, as the TLS module is enabled and configured, it allows you to log in with just a client certificate using TLS. What I want is to enforce the use of not just TLS but PEAP with a client cert. Suppose I should have made that clearer in my post, sorry about that. -Remy -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3289088.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
I'm using the Juniper Odyssey Access Client, you can download a trial from the Juniper website. So far it's the only supplicant I've come across that allows for PEAP or TTLS with client certificates. Drawback being you have to buy licenses for each instance of it running inside the company, which undoubtedly is going to cost a fortune. So if anyone out there has any idea of a free open source solution I'm game... About the perl module, I'll start looking into that, thanks for the tip. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250321.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
Which OS? David On Thu, Nov 4, 2010 at 9:00 AM, rdeboer rem...@gmail.com wrote: I'm using the Juniper Odyssey Access Client, you can download a trial from the Juniper website. So far it's the only supplicant I've come across that allows for PEAP or TTLS with client certificates. Drawback being you have to buy licenses for each instance of it running inside the company, which undoubtedly is going to cost a fortune. So if anyone out there has any idea of a free open source solution I'm game... About the perl module, I'll start looking into that, thanks for the tip. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250321.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
Mostly windows 7 but linux and OSX would be nice too.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250786.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls certificates
Hi. I'm in the process of setting up freeradius 2.1.9 on debian lenny/sparc. I've got everything working for eap tls with the self signed certificates that come with freeradius. This is working well for macs and some smartphones but I'm having trouble with windows machines. My research indicates that buying a certificate from a known CA will solve my problems (or I believe I could import a certificate into the windows devices but with up to 1000 clients I'd prefer not to have to do this). Can anyone confirm if this is the case? If so, is there a specific type of certificate I need to buy that would include some 'extensions' that I'm told windows clients require. Cheers -- Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates
freerad...@corwyn.net wrote: I'm tinkering with my VPN setup using FreeRadius and AD, and getting Not possible to verify the identity of the server. Some googling shows that message can be related to certificates. Uh... the documentation on setting up EAP describes what you need to do on the client machine in order for EAP to work. This involves putting the CA cert on the PC. Some digging through the FreeRadius docs came up with: If FreeRADIUS was configured to use OpenSSL, then simply starting the server in root in debugging mode should also create test certificates, i.e.: Does this mean that, presuming I never did create certificates, that freeradius could function differently in debug mode than when running not in debug mode? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificates
I'm tinkering with my VPN setup using FreeRadius and AD, and getting Not possible to verify the identity of the server. Some googling shows that message can be related to certificates. Some digging through the FreeRadius docs came up with: If FreeRADIUS was configured to use OpenSSL, then simply starting the server in root in debugging mode should also create test certificates, i.e.: Does this mean that, presuming I never did create certificates, that freeradius could function differently in debug mode than when running not in debug mode? Rick Rick Steeves http://www.sinister.net In reality nothing is more damaging to the adventurous spirit within a man than a secure future - Alexander Supertramp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Thanks, yoy're rigth. I'ill continue this way, the problem is not the effort, but I was trying to complete the picture Freeradius+MySql+EAP_TLS+Cisco AP without success. Keep trying... On Tue, Sep 14, 2010 at 5:25 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password err, EAP needs certs..thats a fundamental building block. the RADIUS server needs to be signed by a CA and the client needs to have that CA installed onto it. you can make things easier by getting your RADIUS server signed by a CA that is built into most of your clients - eg get a thawte or verisign signed cert. its a BAD BAD thing not to enable radius server checking and CA checking on your client. the public key infrastructure is a major part of the security of 802.1X and if you thinks its 'too much effort' then I'll show you a nasty man-in-middle fake AP and radius server that will get all your users usernames and passwords. all run in a 512Mb VM on a basic laptop :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/13/10 3:40 PM, Esteban TALAVERA wrote: I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Are you using an autonomous AP or a lightweight AP with a controller? If you have a controller, you can do webauth. For webauth, the only certificate required is the one for https/ssl. If it's an autonomous system, then you could place clients on a vlan and make them go through and authentication gateway. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPlnEACgkQ0l216NgIDrz+fgCbBMTmrFDjUhQlouJou4OQh0k8 DaYAoJO9fdCQotSdyBKWdv7xdUbflexR =3Lam -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Thanks Is an autonomous AP. I'll try Freeradius+MySql+EAP-TLS schema. On Tue, Sep 14, 2010 at 11:06 AM, Kevin Ehlers ke...@uoregon.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/13/10 3:40 PM, Esteban TALAVERA wrote: I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Are you using an autonomous AP or a lightweight AP with a controller? If you have a controller, you can do webauth. For webauth, the only certificate required is the one for https/ssl. If it's an autonomous system, then you could place clients on a vlan and make them go through and authentication gateway. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPlnEACgkQ0l216NgIDrz+fgCbBMTmrFDjUhQlouJou4OQh0k8 DaYAoJO9fdCQotSdyBKWdv7xdUbflexR =3Lam -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
On 09/14/2010 11:53 AM, Esteban TALAVERA wrote: Thanks Is an autonomous AP. I'll try Freeradius+MySql+EAP-TLS schema. Huh? What's that? As has been pointed previously you must have a server cert if you're doing TLS. In addition the server cert should be signed by a trusted CA and the supplicant should validate the cert (anything less would be a ridiculous security risk). No amount of fudging the server configuration is going to magically modify the fundamental requirements of TLS. If you don't want to set up a server cert forget about supporting PEAP, EAP_TLS, etc. (which means most Windows clients will not work). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi, I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password yes. we use Cisco APs - we used to use them in autonomous mode but moved to the lightweight LWAPP (now CAPWAP) mode a few years back. I would not recommend broken captive portals. 802.1X is the way forward (and is now beign mandated by several government and education procurement systems around the world - expect any half-decent auditor to pick up on this too. for EAP, you can use EAP-PEAP or EAP-TTLS - in which your RADIUS server has a certificate signed by a CA. the clients dont need certificates, they just need to have the CA on them that signed the RADIUS server (for trust!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/14/10 11:38 AM, Alan Buxey wrote: Hi, I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password yes. we use Cisco APs - we used to use them in autonomous mode but moved to the lightweight LWAPP (now CAPWAP) mode a few years back. I would not recommend broken captive portals. 802.1X is the way forward (and is now beign mandated by several government and education procurement systems around the world - expect any half-decent auditor to pick up on this too. for EAP, you can use EAP-PEAP or EAP-TTLS - in which your RADIUS server has a certificate signed by a CA. the clients dont need certificates, they just need to have the CA on them that signed the RADIUS server (for trust!) I agree for the most part. However, captive portals will still be in use for guest access. There's less administrative and helpdesk overhead for this type of deployment. On windows machines, the CA/cert trust has to be explicitly enabled. This can be a barrier for un-managed and non-employee machines. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPxQUACgkQ0l216NgIDryV7ACfdCwwbjP6y4dWsNUOQS0x5woK JQ4Amwa3WK5kSoGHvzX1FPiUxJp1cQt9 =opmK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi, I agree for the most part. However, captive portals will still be in use for guest access. There's less administrative and helpdesk overhead for this type of deployment. On windows machines, the CA/cert trust has to be explicitly enabled. This can be a barrier for un-managed and non-employee machines. so visitors get a nice easy coffee-shop way onto the network whilst employees have to suffer the wrath of 21 steps of PEAP hell? nah. thats just not fair. there are several tools developing nicely which make getting onto an 802.1X network nice and easy for all peoplestaff, students or visitors - eg Cloudpath and su1x - with these, there is no nasty CA/cert trust for a visitor to deal with. and if they cannot get onto the supplied network, then theres always a commercial link or 3G dongle option (most modern 'road warriors' have eg 3G dongle or MiFi in their pocket to avoid stupid wifi charges at hotels ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + MySql + Wireless Clients without certificates
Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Marten You mean configuring freeradius for EAP-PEAP its not necessary to creates certificates? Its possible to use with CISCO AP as NAS? Thanks On Mon, Sep 13, 2010 at 6:23 PM, Marten Pape marten.p...@pape-hn.de wrote: Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignoring client certificates
Hi, Is there any option/configuration so that we can ignore the certificates sent by user? I am using eap-ttls mschapv2 and want to authenticate user by its password only not by certificate sent by user. Please help ,Regards Vijay Badola P We have responsibility to the environment. Before printing this e-mail or any other document, let's ask ourselves whether we need a hard copy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring client certificates
Vijay Badola wrote: Hi, Is there any option/configuration so that we can ignore the certificates sent by user? Source code modifications. See the OpenSSL API. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
