Problems using EAP-TLS with freeradius version 2

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Wed Feb 6 10:01:39 CET 2008 

Stefan Puch wrote:
> @Alan DeKok
>   
>> I'll bet that if you posted the final Access-Accept from 1.1.7 and from 
>> 2.0.1, that they would be *different*.  If you make them the same, I'll also 
>> bet that the NAS will accept the user.
>>     
> You were right (you win the bet), I accidentally commented out an entry in the
> "default"-file, which setting were included in radiusd.conf in previous version
> of freeradius
>
>   
>> Stop fighting with the certificates.  You're wasting your time, and confusing
>> yourself.  Start looking at the contents of the Access-Accept, which is the
>> only thing that really matters.
>>     
> With that hint I was able to get Windows and Linux Laptops working again using
> EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
> connecting using EAP-PEAP.
> For using EAP-TLS with the Windows Mobile devices I still have to solve one
> problem, which I think would be no problem for you, the problem with the
> username of the devices.
>
> If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a
> working configuration, but finally it should work also with that Option enabled.
>  The problem of the Windows Mobile devices is, that they always submit as
> username "DOMAIN\user". If you leave the DOMAINNAME blank still "\user" is used.
> Since the radiusd.conf hints say, that I should NOT use the option
> "with_ntdomain_hack" (and when I tested it still didn't work for me) I wanted to
>  use the "Realm module".
> But at the moment I didn't fully understand how realms work, although I did read
> the Posting on this mailinglist (from 2004) and the manpage.
>   

> I Know that I will have to use the realm module
>   
You dont... your using 2.01 ?

Write a regular expression to strip off the proceeding \
Heres one I did earlier.... If I remember correctly it's \\\\ to escape 
to one \ in the username ... \\ To escape it in the RegExp string, \\ to 
make \ literal in the regular expression...


authorize {
# USERNAME FORMATTING
# User-Name Formatting, extracts Realm, User. Ignores NT domain
# This will accept
# * user
# * user at domain
# * ntdomain\\user
# * ntdomain\\user at domain
if("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
                update request {
                        Stripped-User-Name = "%{1}"
                }
}
...
}

You then use:
check_cert_cn = %{Stripped-User-Name}

> PS: When I've got a working configuration for the Windows Mobile devices, I'm
> going to write a little HOWTO like the one "EAP/TLS Setup for FreeRADIUS and
> Windows XP Supplicant" just for Mobile PDA's
>
>
>   
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list