RE: TLS authentication works, but does not check usernames against 'users' file.
-Original Message- On Behalf Of Andrew Bovill Hi, I'm trying to get WPA Enterprise EAP/TLS working with my wireless router. It appears that the TLS portion of the authentication works (valid certificates give me a working connection) but it does NOT appear to actually be checking the username/password combination that is also sent along the line. I have followed the WPA_HOWTO as best I could (my clients are OS X and Android and Gentoo, not Windows XP) but I can't figure out how to 'fail' an auth attempt with an invalid user/pass combination. Here is the debug output: Thanks for any advice. I didn't want to start reconfiguring with a shotgun :) *snipped* IIRC, that is how EAP-TLS works. If the client has a valid certificate, it can connect. Check this previous message that is similar to what I think you are trying to do: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg66246.h tml -- John D McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - http://www.asciiribbon.org/ smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS authentication works, but does not check usernames against 'users' file.
On 11/30/2010 11:05 AM, John McDonnell wrote: -Original Message- On Behalf Of Andrew Bovill Hi, I'm trying to get WPA Enterprise EAP/TLS working with my wireless router. It appears that the TLS portion of the authentication works (valid certificates give me a working connection) but it does NOT appear to actually be checking the username/password combination that is also sent along the line. I have followed the WPA_HOWTO as best I could (my clients are OS X and Android and Gentoo, not Windows XP) but I can't figure out how to 'fail' an auth attempt with an invalid user/pass combination. Here is the debug output: Thanks for any advice. I didn't want to start reconfiguring with a shotgun :) *snipped* IIRC, that is how EAP-TLS works. If the client has a valid certificate, it can connect. Check this previous message that is similar to what I think you are trying to do: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg66246.h tml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Cool, I was wondering about that. It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant? Thanks --Andrew Bovill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS authentication works, but does not check usernames against 'users' file.
On 30/11/10 16:10, Andrew Bovill wrote: It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant? Well, the username goes into the EAP-Identity field. For example you might put: u...@home.org.com ...and be in a radius roaming federation like eduroam, but your certificate may contain: cn=user,o=Home Org,... ...so you need to be able to specific a username. Password is not used in EAP-TLS; the supplicants I've seen don't ask for it (Windows, MacOS, Linux/NetworkManager, Nokia E-series) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS authentication works, but does not check usernames against 'users' file.
On 11/30/2010 11:15 AM, Phil Mayers wrote: On 30/11/10 16:10, Andrew Bovill wrote: It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant? Well, the username goes into the EAP-Identity field. For example you might put: u...@home.org.com ...and be in a radius roaming federation like eduroam, but your certificate may contain: cn=user,o=Home Org,... ...so you need to be able to specific a username. Password is not used in EAP-TLS; the supplicants I've seen don't ask for it (Windows, MacOS, Linux/NetworkManager, Nokia E-series) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, this makes more sense now. I think what was throwing me off was that the Android supplicant asks for the following when doing 802.1x EAP: EAP Method (I chose TLS) Phase 2 authentication (I left as none, but has things like CHAP, PAP, etc) CA cert user cert Identity Anonymous Identity Password It seemed to me that it wouldn't connect if I left the Identity blank, so that may be what was confusing me. I doesn't seem to me like there would be, but is there any way to have, say, a 'guest' certificate, that can be handed out to multiple people and be used simultaneously with EAP/TLS? --Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS authentication works, but does not check usernames against 'users' file.
On 30/11/10 16:55, Andrew Bovill wrote: It seemed to me that it wouldn't connect if I left the Identity blank, so that may be what was confusing me. Most supplicants will use the cn=XXX from the cert as the identity, but it really makes sense to ask, because they may not be (often are not) the same I doesn't seem to me like there would be, but is there any way to have, say, a 'guest' certificate, that can be handed out to multiple people and be used simultaneously with EAP/TLS? A certificate is like any other credential; anyone who knows it (or has it) can use it. Whether that's a good idea is another matter; how do you revoke it and manage re-issuance once one guest leaves? How do you distinguish between their activity? And so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html