Re : RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Use this: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types # EAP-TLS tls { private_key_password = x private_key_file = ${raddbdir}/certs/freeradius_key.pem certificate_file = ${raddbdir}/certs/freeradius_cert.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } #tls { #private_key_password = x #private_key_file = ${raddbdir}/certs/freeradius_key.pem #certificate_file = ${raddbdir}/certs/freeradius_cert.pem #CA_file = ${raddbdir}/certs/demoCA/cacert.pem #dh_file = ${raddbdir}/certs/dh #random_file = ${raddbdir}/certs/random #fragment_size = 1024 #include_length = yes #} mschapv2 { } } == Benjamin K. Eshun - Message d'origine De : Marcelo Augusto Rodrigues Pimentel [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Mardi, 24 Avril 2007, 20h36mn 17s Objet : RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate Marcelo Augusto Rodrigues Pimentel wrote: OK. But I?m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not. What second part of EAP-TLS? The server supports authenticating via client certificates, and nothing else. I said two parts, because those parts of my configuration uses TLS: The first part is making the encrypt tunnel using PEAP -- Only validates server certificate to create the tunnel. The second part is the authenticathion inner the tunnel with EAP-TLS -- Mutual validation of client and server certificate. This configuration is like Geroge Ou said below: ... PEAP-EAP-TLS is an improved version of the original EAP-TLS protocol that goes further to encrypt client digital certificate information. Both PEAP-EAP-TLS and EAP-TLS have the same server and client side digital certificate requirements. ... Reference: Wireless LAN security guide -- Level 3: Medium to large Enterprise WLAN security http://www.lanarchitect.net/Articles/Wireless/SecurityRating/ Thank´s ! So in the peap section in the eap.conf, what I?ve to configure for default eap type? Is tls ? No. You can leave it alone. It's fine. If I configure tls, I?ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I?ve attached my eap.conf file. If you want to use just TLS, you don't need the PEAP section. If you want to use PEAP, you need the TLS section. The comments in the eap.conf file explain this. Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente. This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote: I´m trying to configure freeradius with PEAP + EAP-TLS, but I´m making some confusion to configure the radiusd.conf (sections authorize and authentication) and eap.conf. Have someone implemented this configuration? Yes. Many people. In the eap.conf file the default eap type is TLS or PEAP? If you're doing PEAP, then it should be peap. What I´ve to configure in the authorize and authentication sections? For basic peap, not much. Just configure eap.conf. *FreeRADIUS Version 1.0.1* Why not run 1.1.6, which has many more bug fixes and features? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Re: PEAP/EAP-TLS with client and server certificate
I?m trying to configure freeradius with PEAP + EAP-TLS, but I?m making some confusion to configure the radiusd.conf (sections authorize and authentication) and eap.conf. Have someone implemented this configuration? Yes. Many people. In the eap.conf file the default eap type is TLS or PEAP? If you're doing PEAP, then it should be peap. What I?ve to configure in the authorize and authentication sections? For basic peap, not much. Just configure eap.conf. OK. But I´m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not. So in the peap section in the eap.conf, what I´ve to configure for default eap type? Is tls ? If I configure tls, I´ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I´ve attached my eap.conf file. Thank´s !! eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types # EAP-TLS tls { private_key_password = x private_key_file = ${raddbdir}/certs/freeradius_key.pem certificate_file = ${raddbdir}/certs/freeradius_cert.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = tls } #tls { #private_key_password = x #private_key_file = ${raddbdir}/certs/freeradius_key.pem #certificate_file = ${raddbdir}/certs/freeradius_cert.pem #CA_file = ${raddbdir}/certs/demoCA/cacert.pem #dh_file = ${raddbdir}/certs/dh #random_file = ${raddbdir}/certs/random #fragment_size = 1024 #include_length = yes #} #mschapv2 { #} } *FreeRADIUS Version 1.0.1* Why not run 1.1.6, which has many more bug fixes and features? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente. This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote: OK. But I´m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not. What second part of EAP-TLS? The server supports authenticating via client certificates, and nothing else. So in the peap section in the eap.conf, what I´ve to configure for default eap type? Is tls ? No. You can leave it alone. It's fine. If I configure tls, I´ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I´ve attached my eap.conf file. If you want to use just TLS, you don't need the PEAP section. If you want to use PEAP, you need the TLS section. The comments in the eap.conf file explain this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote: OK. But I?m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not. What second part of EAP-TLS? The server supports authenticating via client certificates, and nothing else. I said two parts, because those parts of my configuration uses TLS: The first part is making the encrypt tunnel using PEAP -- Only validates server certificate to create the tunnel. The second part is the authenticathion inner the tunnel with EAP-TLS -- Mutual validation of client and server certificate. This configuration is like Geroge Ou said below: ... PEAP-EAP-TLS is an improved version of the original EAP-TLS protocol that goes further to encrypt client digital certificate information. Both PEAP-EAP-TLS and EAP-TLS have the same server and client side digital certificate requirements. ... Reference: Wireless LAN security guide -- Level 3: Medium to large Enterprise WLAN security http://www.lanarchitect.net/Articles/Wireless/SecurityRating/ Thank´s ! So in the peap section in the eap.conf, what I?ve to configure for default eap type? Is tls ? No. You can leave it alone. It's fine. If I configure tls, I?ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I?ve attached my eap.conf file. If you want to use just TLS, you don't need the PEAP section. If you want to use PEAP, you need the TLS section. The comments in the eap.conf file explain this. Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente. This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote: I said two parts, because those parts of my configuration uses TLS: The first part is making the encrypt tunnel using PEAP -- Only validates server certificate to create the tunnel. The second part is the authenticathion inner the tunnel with EAP-TLS -- Mutual validation of client and server certificate. FreeRADIUS doesn't support EAP-TLS inside of PEAP. It's also unnecessary. PEAP can have client certificates, and therefore doesn't need an inner TLS stage for client certificates. This configuration is like Geroge Ou said below: Which isn't supported in FreeRADIUS. If you tried using it on the client side, and running the server in debugging mode, the server would tell you it isn't supported. I'm not even sure that the Windows supplicant supports it. If you want the server to support it, there are a number of options open to you. Send in patches, or fund someone to write the patches. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/EAP-TLS with client and server certificate
Hi, I´m trying to configure freeradius with PEAP + EAP-TLS, but I´m making some confusion to configure the radiusd.conf (sections authorize and authentication) and eap.conf. Have someone implemented this configuration? In the eap.conf file the default eap type is TLS or PEAP? What I´ve to configure in the authorize and authentication sections? I´ve attached my conf files below. Best Regards ... FreeRADIUS Version 1.0.1 eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types # EAP-TLS tls { private_key_password = xxx private_key_file = ${raddbdir}/certs/freeradius_key.pem certificate_file = ${raddbdir}/certs/freeradius_cert.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = tls } #tls { #private_key_password = xx #private_key_file = ${raddbdir}/certs/freeradius_key.pem #certificate_file = ${raddbdir}/certs/freeradius_cert.pem #CA_file = ${raddbdir}/certs/demoCA/cacert.pem #dh_file = ${raddbdir}/certs/dh #random_file = ${raddbdir}/certs/random #fragment_size = 1024 #include_length = yes #} #mschapv2 { #} } radiusd.conf (only authorize and authentication sections) . . . # Instantiation instantiate { } # authorize { preprocess files mschap eap } # Authentication. authenticate { Auth-Type MS-CHAP { mschap } eap } . . . Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente. This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html