Problem with EAP/TLS and XP SP2

Hal Pomeranz hal at deer-run.com
Sat Nov 5 04:08:33 CET 2005 

> See the "scripts" directory that comes with FreeRADIUS.  There's a
> "CA.certs" script which tries to create sample certificates.

It turns out that this was the pointer I needed.  Note that the
CA.certs script is a little broken, but it's broken in obvious ways
that are easily fixed.  A fixed version is attached.

Once I got the script working, set the correct cert pathnames in
eap.conf, and loaded the new certs onto my XP laptop, everything
worked just fine.  I will note however that if I try to set:

	check_cert_cn = %{User-Name}

in the "tls" section of eap.conf, then I am unable to connect to the
network with EAP/TLS.  I don't fully understand from the docs what
this parameter is doing exactly.  Is this supposed to work?  Is there
some configuration (perhaps in my users file) that I'm missing?  What
is the impact of NOT setting this parameter?

Also, another note for folks using DLink gear like I am.  If you are
turning on MAC filtering, be sure to include the MAC address of your
radius server in the list of allowed MAC addresses or else
authentication will fail (at least on the DI-784 like I have).  My
initial assumption had been that the MAC filtering only applied to
which wireless NICs should be allowed to connect, but I was obviously
wrong about that.

-- 
Hal Pomeranz, Founder/CEO      Deer Run Associates      hal at deer-run.com
    Network Connectivity and Security, Systems Management, Training
-------------- next part --------------
#!/bin/sh

#
#  This is a NON-INTERACTIVE script to help generate certificates for
#  use with the EAP-TLS module.
#
#	$Id: CA.certs,v 1.1 2005/11/05 01:12:33 hal Exp hal $

#
#  This environment variable should point to the SSL installation
#
[ "$SSL" = "" ] && SSL=/usr/local/ssl
export SSL

#
#  Edit the following variables for your organization.
#
COUNTRY="CA"
PROVINCE="Province"
CITY="Some City"
ORGANIZATION="Organization"
ORG_UNIT=`hostname`
PASSWORD="whatever"

COMMON_NAME_CLIENT="Client certificate"
EMAIL_CLIENT="client at example.com"
PASSWORD_CLIENT=$PASSWORD

COMMON_NAME_SERVER="Server certificate"
EMAIL_SERVER="server at example.com"
PASSWORD_SERVER=$PASSWORD

COMMON_NAME_ROOT="Root certificate"
EMAIL_ROOT="root at example.com"
PASSWORD_ROOT=$PASSWORD

#
#  lifetime, in days, of the certs
#
LIFETIME=730

######################################################################
#
#  Don't change anything below this line...
#
######################################################################

#
#  Prefer the SSL configured above, over any previous installation.
#
PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
LD_LIBRARY_PATH=${SSL}/lib
export PATH LD_LIBRARY_PATH

rm -rf demoCA roo* cert* *.pem *.der

echo -e ""
echo -e "\t\t##################"
echo -e "\t\tcreate private key"
echo -e "\t\tname : name-root"
echo -e "\t\tCA.pl -newcert"
echo -e "\t\t##################\n"

(echo $COUNTRY
echo $PROVINCE
echo $CITY
echo $ORGANIZATION
echo $ORG_UNIT
echo $COMMON_NAME_ROOT
echo $EMAIL_ROOT
) | openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
if [ "$?" != "0" ]
then
    echo "Failed to create root certificate"
    exit 1
fi

echo -e ""
echo -e "\t\t##################"
echo -e "\t\tcreate CA"
echo -e "\t\tuse just created 'newreq.pem' private key as filename"
echo -e "\t\tCA.pl -newca"
echo -e "\t\t##################\n"

echo "newreq.pem" | CA.pl -newca || exit 2

#ls -lg demoCA/private/cakey.pem

echo -e ""
echo -e "\t\t##################"
echo -e "\t\texporting ROOT CA"
echo -e "\t\tCA.pl -newreq"
echo -e "\t\tCA.pl -signreq"
echo -e "\t\topenssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.pem"
echo -e "\t\topenssl pkcs12 -in root.cer -out root.pem"
echo -e "\t\t##################\n"

openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
openssl pkcs12 -in root.p12 -out root.pem -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
openssl x509 -inform PEM -outform DER -in root.pem -out root.der 

echo -e ""
echo -e "\t\t##################"
echo -e "\t\tcreating client certificate"
echo -e "\t\tname : name-clt"
echo -e "\t\tclient certificate stored as cert-clt.pem"
echo -e "\t\tCA.pl -newreq"
echo -e "\t\tCA.pl -signreq"
echo -e "\t\t##################\n"

(echo $COUNTRY
echo $PROVINCE
echo $CITY
echo $ORGANIZATION
echo $ORG_UNIT
echo $COMMON_NAME_CLIENT
echo $EMAIL_CLIENT
echo $PASSWORD_CLIENT
echo "testing"
) | openssl req -new -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT
if [ "$?" != "0" ]
then
    echo "Failed to create client certificate"
    exit 1
fi

(echo y
echo y) | openssl ca  -policy policy_anything -out newcert.pem -passin pass:$PASSWORD_CLIENT -key $PASSWORD_CLIENT -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem
if [ "$?" != "0" ]
then
    echo "Failed to sign client certificate"
    exit 1
fi

openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT || exit 8
openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT || exit 9
openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der || exit 10

echo -e ""
echo -e "\t\t##################"
echo -e "\t\tcreating server certificate"
echo -e "\t\tname : name-srv"
echo -e "\t\tserver certificate stored as cert-srv.pem"
echo -e "\t\tCA.pl -newreq"
echo -e "\t\tCA.pl -signreq"
echo -e "\t\t##################\n"

(echo $COUNTRY
echo $PROVINCE
echo $CITY
echo $ORGANIZATION
echo $ORG_UNIT
echo $COMMON_NAME_SERVER
echo $EMAIL_SERVER
echo $PASSWORD_SERVER
echo $ORG_UNIT
) | openssl req -new  -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER
if [ "$?" != "0" ]
then
    echo "Failed to create server certificate"
    exit 1
fi

(echo y
echo y) | openssl ca  -policy policy_anything  -out newcert.pem -passin pass:$PASSWORD_SERVER -key $PASSWORD_SERVER -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem 
if [ "$?" != "0" ]
then
    echo "Failed to sign server certificate"
    exit 1
fi

openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER || exit 5
openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER || exit 6
openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der || exit 7

echo -e "\n\t\t#################################"
echo -e "\t\tDONE.  Thank you for your patience."
echo -e "\t\t###################################\n"

More information about the Freeradius-Users mailing list