Frank Sweetser wrote:
The usernames currently don't have a domain portion. Would it be possible for
me to set a default domain for a given username? (The list is small, so would
be manageable for me.) And if so, could you give me at least a rough example
of how I would set this up?
You
Alan DeKok wrote:
Frank Sweetser wrote:
The usernames currently don't have a domain portion. Would it be possible
for
me to set a default domain for a given username? (The list is small, so
would
be manageable for me.) And if so, could you give me at least a rough example
of how I
simply setup a
configuration per domain/realm of these users.
Regards,
Tom
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Namens Frank Sweetser
Verzonden: vrijdag 6 juni 2008 20:07
Aan: freeradius-users@lists.freeradius.org
Onderwerp: EAP-TLS
-bounces%2Blist=
[EMAIL PROTECTED]
Namens Frank Sweetser
Verzonden: vrijdag 6 juni 2008 20:07
Aan: freeradius-users@lists.freeradius.org
Onderwerp: EAP-TLS with different CA per user?
I have a configuration which I need, but haven't been able to figure out
how
to make freeradius do
I'm happy to be wrong about this, but in my experience, this parameter:
-CApath ca.pem
Needs to be an actual path, not a PEM CA file, where you have performed
these steps:
download certificate authority cert in PEM format
run c_rehash . (openssl script)
On Thu, May 15, 2008 at 10:37 AM,
SecureW2 (List) wrote:
Frank,
It is not really a configuration issue, but more an Identity Management
issue.
It is not common to have a CA per user, but a CA per domain. And per domain
you have users.
In general, I certainly agree. The catch is that I'm attempting to handle
certs and
I have a configuration which I need, but haven't been able to figure out how
to make freeradius do it.
I have two users, A and B, both authenticating over wireless using EAP-TLS.
User A has a certificate which has been signed by CA X, and B has one signed
by CA Y.
What I need is to tell
with EAP-TLS which works fine so far. I'm
not using any SQL or LDAP backend only the *users* file.
--
regards uHel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EMAIL PROTECTED] wrote:
how can i deny access to a user (a certificate)?
Set Auth-Type := Reject
Is a CRL (with the CA_path and c_rehash stuff) the only possibility to
deny access or is it possible to have a *whitelist* (like the CA_path
and c_rehash stuff but as a whitelist) with certs
--
Message: 1
Date: Wed, 21 May 2008 20:15:06 +0530
From: Naunidh S Chadha [EMAIL PROTECTED]
Subject: EAP TLS testing using eapol_test
To: freeradius-users@lists.freeradius.org
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=iso-8859-1
Hi All
I am
Naunidh S Chadha wrote:
...
Wed May 21 19:31:19 2008 : *Error: -- verify error:num=20:unable to get
local issuer certificate*
Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: TLS 1.0 Alert [length
0002], fatal unknown_ca
The certificate supplied by the client was not signed by a CA that
think it could be the eapol config?
I will paste it here again.
network={
ssid=1x-test
key_mgmt=WPA-EAP
eap=TLS
identity=[EMAIL PROTECTED]
ca_cert=/usr/local/etc/raddb/certs/ca.pem (even tried with
server.pem as CA)
client_cert=/usr/local/etc/raddb/certs/[EMAIL
Hi All
I am attempting to authenticate an EAP-TLS using eapol_test tool against
FreeRADIUS Version 2.0.3.
From last two days I am getting stumped by certificate issues. Currently I
have the following error in my
Freeradius log that seems to be the problem.
Wed May 21 19:31:19 2008 : Debug
/cacertificate1wj4.jpg
- Client Certificate with p12 format:
http://img164.imageshack.us/img164/2894/certifclient1kf1.jpg
http://img164.imageshack.us/img164/7527/certifclient2rv3.jpg
sorry for the delay, i was in a trip!
I am still blocked on Identity validation when i try to use eap-tls
attached
files
you can view screenshots of the certificate here:
- CA Certificate that i imported on XP with DER format:
http://img357.imageshack.us/img357/2264/cacertificate1wj4.jpg
- Client Certificate with p12 format:
http://img164.imageshack.us/img164/2894/certifclient1kf1.jpg
Yes! it is in the personal store!
- so problem is not with certificate ?? in this case, wht should be checked?
- config?
- hardware?
i'd like to use eap-tls and/or eap-peap
MBA OYONE Joël
Lot. El Firdaous
Bât GH20, Porte A 204, Appt 8
2 Oulfa
Casablanca - Maroc
Tél. : +212 69 25 85 70
Ok, we assume my certificates are corrects.
So i have some more questions:
- Certificate should be import for user accounts or for computer account ?
- i use the file users as database for my accounts; when using eap-tls
when trying eap-peap my accounts looks like that:
johndoe Auth-Type
the file users as database for my accounts; when using eap-tls
when trying eap-peap my accounts looks like that:
johndoe Auth-Type: = EAP, User-Password == �test1234
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
or
johndoe User-Password == âďż
PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Lundi, 19 Mai 2008, 0h37mn 23s
Objet : RE: Re : Re : Re : howto EAP-TLS on freeradius 2.0.2-3 ??
Ok, we assume my certificates are corrects.
So i have some more questions:
- Certificate should be import
Kwok Sianbin wrote:
Now..I want to test connecting with Windows XP but I could not find
root.der or cert-clt.p12 like previous version has.
raddb/certs.
Read eap.conf, too. It points to the location of the default
certificates.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hi,
I've installed FreeRadius-2.0.4 and run fine.
Here a few thing I had editted.
Clients.conf
client 192.168.0.0/24 {
secret= testing123-1
shortname= private-network-1
}
eap {
default_eap_type= tls
}
tls {
fragment_size
the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
EAP
Hello,
anyone has used eToken Aladdin 64k with EAP-TLS authentication
using wpa_supplicant ?
thank you
Rick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
and install into Windows XP as client certificate?
Thanks in advance.
Alan DeKok [EMAIL PROTECTED] wrote: Kwok Sianbin wrote:
I am newbie to linux and recently I try to implement wireless
connnection with EAP-TLS encryption. I am using Freeradius-1.1.7
installed into Red Hat Enterprise 4.
You
: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Friday, May 9, 2008 7:50:34 PM
Subject: Re: EAP-TLS can't get connected..etc.
Kwok Sianbin wrote:
I am newbie to linux and recently I try to implement wireless
connnection with EAP-TLS
Hi,
I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested
I browse www.freeradius.org and run below command.
#cvs -d :pserver:[EMAIL PROTECTED]:/source login
CVS password: anoncvs
nothing happen and return to #
'nothing' should happen as all you've done is log into a CVS session
Kwok Sianbin wrote:
...
got some errors
btool: install: error: cannot install rlm_acctlog.la to a directory
not ending in /usr/local/lib/lib
In 10 years of fighting libtool, I have *never* seen this error. I
have no idea what this means.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hi,
Kwok Sianbin wrote:
...
got some errors
btool: install: error: cannot install rlm_acctlog.la to a directory
not ending in /usr/local/lib/lib
In 10 years of fighting libtool, I have *never* seen this error. I
have no idea what this means.
Hi Everyone,
I am newbie to linux and recently I try to implement wireless connnection with
EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat
Enterprise 4.
Here I encounter problems that I can't solve it alone hence I need advice guru
from this forum.
the problem is client
Kwok Sianbin wrote:
I am newbie to linux and recently I try to implement wireless
connnection with EAP-TLS encryption. I am using Freeradius-1.1.7
installed into Red Hat Enterprise 4.
You should really use 2.0.4.
Here I encounter problems that I can't solve it alone hence I need
advice
Ok,
i think i really missed something! that config should take less than 15 minutes
but i can't solve my problem for more than a week.
Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS
config please. i would like to give you a full access to my network and my
up!
(never says die)
==
Ok,
i think i really missed something! that config should take less than 15 minutes
but i can't solve my problem for more than a week.
Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS
config please. i would like
solve my problem for more than a week.
Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS
config please. i would like to give you a full access to my network and my
terminal too, so the diagnostic should be very very easy for you!
is it possible?
MBA OYONE JoĂŤl
Lot
hallo,
I´d like to know, how can I adjust the freeradius configurations to ignore the
case insensitive for all Identifiers existing into the file /raddb/users
using rlm_fastusers with EAP-TLS. User-Names in the Access-Requests should
namely mached with the Identifiers, which are configured
- ca.der no prob, known as an CA in windows
- server.p12 ---no prob, certicate is valid
- client.p12 --- !!! windows said something like that
(excuse my english translation, but i think you'll get
the message):
--CA
---Server
---clients:
---Information about the certificate: ---
rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange
Joel MBA OYONE wrote:
...
The VLAN attributes defined in RFC3580 are as follows:
• Tunnel-Type=VLAN (13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6,
which
is why client entries use 6
OK,
radiusd -X and /etc/raddb/certs/bootstrap generated some files in
/etc/raddb/certs like
ca.pem
ca.key
01.pem
dh
index.txt
index.txt.attr
random
serial server.crt
srver.key
server.p12
server.pem
server.csr
xpxtensions
etc...
eap.conf point to the right paths.
i intend to authenticate
OK,
radiusd -X and /etc/raddb/certs/bootstrap generated some files in
/etc/raddb/certs like
ca.pem
ca.key
01.pem
dh
index.txt
index.txt.attr
random
serial server.crt
srver.key
server.p12
server.pem
server.csr
xpxtensions
etc...
eap.conf point to the right paths.
i intend to authenticate
There is a readme file in certs folder explaining how to make client
certificates.
Ivan Kalik
Kalik Informatika ISP
Dana 3/5/2008, Joel MBA OYONE [EMAIL PROTECTED] piše:
OK,
radiusd -X and /etc/raddb/certs/bootstrap generated some files in
/etc/raddb/certs like
ca.pem
ca.key
01.pem
dh
Hello,
What certificates are needed on Windows XP clients to make a successful
connection?
The client.p12? and more?
Thanks,
Best regards,
Johan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Johan Nyman wrote:
What certificates are needed on Windows XP clients to make a successful
connection?
http://www.freeradius.org/doc/EAPTLS.pdf
In 2.0,x, you'll need ca.der and client.p12
You may need to go into the raddb/certs directory, and do make ca.der.
Alan DeKok.
-
List
in certs/ directory, i understood that the script
bootstrap should create the certificates and some other stuffs, and the should
be renamed or destroyed.
- that i see is: the script didn't create nothing and could not be run.
could you please help me to fix it?
( my final goes is to use eap-tls
the Windows XP computer name?
Thanks for help,
Best regards
Johan
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
org] On Behalf Of Alan DeKok
Sent: den 2 maj 2008 10:21
To: FreeRadius users mailing list
Subject: SPAM-LOW: Re: EAP/TLS on windows XP clients?
Johan Nyman
I can successfully access and connect to the FreeRadius server with Linux
clients using ca.pem and client.pem.
- Where is the ca.der imported/or placed in Windows XP Professional?
Trusted root CA store.
- Dose the commonName within the cerficate files (client.p12) name need to
match the
[EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Vendredi, 2 Mai 2008, 9h50mn 05s
Objet : Re : Re : EAP-TLS/PEAP problem
Hello list,
I've just installed SUSE 10.3 and freeradius 2.0.2.2-3 to easily setup my
prevoious prob with eap.
right now
poor english skills but hope i could be understood anyway.
I use freeradius 1.1-7 on fedora 8 (installed with yum command). right now,
my users in the /etc/raddb/users file are able to authenticate without no
problem.
i intend to use eap-tls and eap-peap to authenticate my users. to do so, i
but hope i could be understood anyway.
I use freeradius 1.1-7 on fedora 8 (installed with yum command). right now,
my users in the /etc/raddb/users file are able to authenticate without no
problem.
i intend to use eap-tls and eap-peap to authenticate my users. to do so, i
read this tutorial
(installed with yum command).ĂÂ right
now, my users in the /etc/raddb/users file are able to authenticate without
no problem.
iĂÂ intend to use eap-tls and eap-peap to authenticate my users. to do so, i
read this tutorial:
http://www.wi-fiplanet.com/tutorials/article.php/3557251ĂÂ (two sheets
.
The wpa_supplican.conf loks like this:
network={
ssid=devnet
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
auth_alg=OPEN
proto=RSN
eap=TLS
identity=Linux1
ca_cert=/Certs/ca.pem
client_cert
Johan Nyman wrote:
I can seem to connect to the radius server, this is the error code:
...
Anyone has a clue on what It could be?
Nope. You seem to have edited the debug output a lot, and have
deleted any information that could be used to understand what's going on.
Alan DeKok.
-
List
:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
org] On Behalf Of Alan DeKok
Sent: den 29 april 2008 17:37
To: FreeRadius users mailing list
Subject: SPAM-LOW: Re: EAP/TLS connection problem..
Johan Nyman wrote:
I can seem to connect to the radius server, this is the error code:
...
Anyone has
Johan Nyman wrote:
I have not edited the debug a lot!
You posted a small portion of the debug output. There is a lot more
available during an EAP-TLS session.
What information, from what .log files do you want/need?
The output of radiusd -X?
Perhaps you are referring to another debug
That information I posted is directly from the Radiusd -X console.
Then your supplicant didn't respond to the initial challenge. Why? You
should ask that on the supplicant list. Usual cause is no CA certificate
on the user machine.
Ivan Kalik
Kalik Informatika ISP
-
List
Hi all,
sorry for this newbie question, but I was wondering if there's a way to
implement EAP/TLS in freeradius. Does freeradius support TLS? Is there any
documentation about it?
Any information would be very appreciated.
Thank You,
Mauro Iorio
-
List info/subscribe/unsubscribe? See
Am 28.04.2008 um 17:07 schrieb Mauro Iorio - Smart Soft s.r.l.:
Hi all,
sorry for this newbie question, but I was wondering if there’s a
way to implement EAP/TLS in freeradius. Does freeradius support
TLS? Is there any documentation about it?
As far as I know, yes.
See also: http
Mauro Iorio - Smart Soft s.r.l. wrote:
sorry for this newbie question, but I was wondering if there’s a way to
implement EAP/TLS in freeradius. Does freeradius support TLS?
http://freeradius.org/features/eap.html
Is there
any documentation about it?
Yes. Lots.
See the web page
Hi:
I run FreeRADIUS 2.0 for EAP-TLS authentication on my wireless network,
it works fine in my test setup but there are some pieces missing I can't
figure out:
1. I'd like to add support for more than one root certificate
2. I'd like to log the certificate's distinguished name
3. I'd like
Message: 8
Date: Sat, 05 Apr 2008 08:49:35 +0200
From: Alan DeKok [EMAIL PROTECTED]
Subject: Re: EAP-TLS certificate
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1
xia sihua wrote
xia sihua wrote:
...
CA_file = ${cadir}/ca.pem
The supplicant I use TeraDot1x Tester from Spirent communication.
...
Configuration:
...
Root Certificate Filename: server.pem
I think that should be ca.pem.
rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert
Hi,
I am using 2.0.3 version. When I generate certificate using those
files ca.cnf, server.cnf, client.cnf xpextensions Makefile which are
in the directory ../raddb/certs/. Then I use make server.vrfy verify
the server certificate, is OK. make client.vrfy also ok.
I use EAP-TLS
the server cert? When I
looked around in Web previous to find some god HOWTO's about setting up
Freeradius using EAP-TLS I always found it that way, that the ca cert signs all
other certs and by the way, the HOWTO in the freeradius Wiki (EAPTLS.pdf)
explains it that way, too ;-)
Best regards
Stefan Puch
the user would be admitted to some other network if their server was
issued a certificate by the same CA. If you are using commercial
certificates there might be thousands of servers with certificates
issued by the same CA. And the user will be able to get onto all of them
(if they use EAP-TLS).
Ivan
approach the
user would be admitted to some other network if their server was issued a
certificate by the same CA. If you are using commercial certificates there
might be thousands of servers with certificates issued by the same CA. And
the user will be able to get onto all of them (if they use EAP-TLS
@Arran Cudbard-Bell
Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape to
one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
literal in the regular expression...
I'm not so familiar with
Stefan Puch wrote:
@Arran Cudbard-Bell
Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape to
one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
literal in the regular expression...
Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would be no problem for you, the problem
.
With that hint I was able to get Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would
and MS
Smartcard Logon for EAP-TLS with its build-in supplicant.
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de
Alan DeKok wrote:
Jan Tomasek wrote:
When CRL is changed on disk during freeRadius is running it never
notices changed version and still uses older cached. This behavior come
from OpenSSL I guess. For my implementation is this serious problem.
Complete restart of freeRadius will break ongoing
Jan Tomasek wrote:
When CRL is changed on disk during freeRadius is running it never
notices changed version and still uses older cached. This behavior come
from OpenSSL I guess. For my implementation is this serious problem.
Complete restart of freeRadius will break ongoing EAP sessions and
Hi,
I'm trying implement freeRadius for users using EAP-TLS. My eap.conf:
eap {
...
tls {
private_key_file =
/etc/ssl/private/radius.etest.cesnet.cz.key.pem
certificate_file = /etc/ssl/certs/radius.etest.cesnet.cz.crt.pem
CA_path
Jan Tomasek wrote:
I understand that you are not planing to fix that for old freeRadius
1.1.x. I was testing on this version because majority of eduroam admins
are using this version.
Yes. Given the stability of 2.0, and the number of people using it in
production, it may be worth
EKU in the cert. In fact, in
that situation, no correct server should accept the certificate for
EAP-TLS, because the presence of any EKU means the certificate may _only_
be used for listed usages, and EAP-TLS is not smartcard-based logon. If
you want to use a certificate for both purposes
Stefan Puch wrote:
Therefore the Makefile is used in the same directory. I'm not really sure, but
in Line 93 where the client.pem is created it must be
-passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER)
Thanks. I've fixed that.
It would also be helpful to integrate
.
As the Microsoft Smartcard Logon extendedKeyUsage *is NOT part* of the client
certificates there should be no problem. Something different seems to be not
correct.
Did you get a PDA using Windows Mobile working with EAP-TLS with Windows
build-in supplicant and freeradius? If yes, can you tell me
build-in certificate store on the PDA.
As the Microsoft Smartcard Logon extendedKeyUsage *is NOT part* of the
client
certificates there should be no problem. Something different seems to be not
correct.
Did you get a PDA using Windows Mobile working with EAP-TLS with Windows
build
Stefan Puch wrote:
- running bootstrap creates ca.pem, server.pem, dh and random which are used
with the radius server (server.pem is signed with ca.pem)
- running make client.pem creates a client certificate which is signed by the
server certificate (in my opinion that cannot work
I
The first question I would like to get an answer for is: Which certificate
is
needed to sign the client certificate, the CA certificate or the server
certificate?
It's nonsense, that the server certificate signs the client certificate... it
must be signed by the ca certificate.
Sebastian
flag.
Additionally Windows build-in supplicants don't like EE certificates with
the extendedKeyUsage Microsoft Smartcard Logon (1.3.6.1.4.1.311.20.2.2)
when doing EAP-TLS.
Apparently the latter issue can also be solved by just disabling the valid
certificate usage of Microsoft Smartcard Logon
. We found this out by try
and error...
Additionally Windows build-in supplicants don't like EE certificates with
the extendedKeyUsage Microsoft Smartcard Logon (1.3.6.1.4.1.311.20.2.2)
when doing EAP-TLS.
Apparently the latter issue can also be solved by just disabling the valid
certificate
Stefan Puch wrote:
Then some people came with their mobile devices which are running Windows
Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the
problems began. The same EAP-TLS certificate which worked fine on a Windows
XP machine doesn't work on e.g. Windows Mobile 6 PDA
a freeradius server version 1.1.7 in our club to authenticate
several Notebooks. This worked fine with Windows XP, Windows Vista and Linux
clients using EAP-TLS certificates (many thanks for the good documentation of
the OIDs in the TLS certificate).
Then some people came with their mobile devices
Stefan Puch wrote:
Then some people came with their mobile devices which are running Windows
Mobile
2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began.
The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't
work on e.g. Windows Mobile 6 PDA
to authenticate
several Notebooks. This worked fine with Windows XP, Windows Vista and Linux
clients using EAP-TLS certificates (many thanks for the good documentation of
the OIDs in the TLS certificate).
Then some people came with their mobile devices which are running Windows Mobile
2003, Windows Mobile 5
-- Mike Olson
Michael Olson wrote:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using
machine
authentication. I set up FreeRADIUS following the guide at
http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and
I'm using
OpenSSL to generate the cetificates.
I can
attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine
authentication. I set up FreeRADIUS following the guide at
http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using
OpenSSL to generate the cetificates.
I can authenticate using user certificates fine, so I'm
to be a machine certificate in the certificate store.
Ivan Kalik
Kalik Informatika ISP
Dana 18/1/2008, Michael Olson [EMAIL PROTECTED] piše:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine
authentication. I set up FreeRADIUS following the guide at
http
certificate in the certificate store.
Ivan Kalik
Kalik Informatika ISP
Dana 18/1/2008, Michael Olson [EMAIL PROTECTED] piše:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using
machine
authentication. I set up FreeRADIUS following the guide at
http://wiki.freeradius.org/WPA_HOWTO
Hi,
That road is painful. What we've come up so far with is supplying
pre-configured supplicants (SecureW2) that bring the proper CA certificate
along and set the expected CN automatically. It can even be preconfigured to
auto-discard any other certificates, which doesn't give the user any
so they most likely implicitly trust these CAs for
client authentication via eap-tls, ie. they enabled EAP-TLS with some set of
trusted CAs that were never intended to authenticate client certs for their
organisation.
Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should
/directory specified in above
options.
I've added some comments in eap.cnf raddb/certs/README explaining
more about these issues.
But by doing so they most likely implicitly trust these CAs for
client authentication via eap-tls, ie. they enabled EAP-TLS with some set of
trusted CAs that were never
servers SSL certificate* in the file/directory specified in above
options.
I've added some comments in eap.cnf raddb/certs/README explaining
more about these issues.
But by doing so they most likely implicitly trust these CAs for
client authentication via eap-tls, ie. they enabled EAP-TLS
Reimer Karlsen-Masur, DFN-CERT wrote:
Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which
has its root CA certificate preinstalled in the standard certificate stores...
No. You are saying that the supplicant should trust those root CA's
for ALL authentication.
Hi,
RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That
means that no one else can successfully convince the users to send them
the passwords.
seconded/thirded. as UK eduroam support I agree that such a closed-loop
system provides a better protection. though more config
[EMAIL PROTECTED] wrote on 10.01.2008 14:53:
Hi,
RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That
means that no one else can successfully convince the users to send them
the passwords.
seconded/thirded. as UK eduroam support I agree that such a closed-loop
Hi,
If the supplicant is not configured that strictly, at the end of the day it
does not matter if you rolled your own self-signed RADIUS server cert or
you have a cert with its root CA pre-installed.
Actually, It's not quite the same: if the user at least managed to enable to
CA checking,
Reimer Karlsen-Masur, DFN-CERT wrote:
Actually we were talking about server side config.
Yes. The server has been updated simplify configurations without
EAP-TLS, and to document the issues involved in certificates.
Looking at the supplicant, the user strongly should enter a fully qualified
Stefan Winter wrote on 10.01.2008 15:51:
Hi,
If the supplicant is not configured that strictly, at the end of the day it
does not matter if you rolled your own self-signed RADIUS server cert or
you have a cert with its root CA pre-installed.
Actually, It's not quite the same: if the user
Hi,
Oh, it exists. It's called subject_match within a network { } stanza of
wpa_supplicant, and all the Windows supplicants I've seen so far allow you
set your expectations on the server name. It's turned off by default though.
agreed. it is there.
however, this puts the security on the
801 - 900 of 1808 matches
Mail list logo
