Re: TTLS and TLS

[Wolfgang Burger <burgerw@immunbio.mpg.de>]

Am 05.03.2008 um 17:13 schrieb Alan DeKok:

> Wolfgang Burger wrote:
> > I am trying to configure FreeRadius to require a Certificate AND a
> > username/password to accept a User.
> > My clients are Macs (10.4.11).
> >
> > I want TTLS to require a certificate so I've set:
> >   EAP-TLS-Require-Client-Cert := Yes
> > in the control items of the request.
>
>   That should work, *if* the Mac client supports TTLS with a client
> certificate.
>
> > Now I set the client to do TLS (for the cert) and TTLS (for the 
> > password).
>
>   Can this even be done on a Mac?

On the Mac, I create a profile. Then I can choose, wich protocols are 
included in this profile.
So I enable TLS and configure it to use the valid certificate that is 
already installed. Then I enable TTLS also and configure it to use PAP 
as internal identification method.

>   Well, that would mean that the client doesn't support sending a
> certificate for TTLS.  I'm not surprised, this is a fairly rare 
> requirement.

Yes. It does`nt support sending a cert for TTLS.
I thougt I it would figure out what to do (like FreeRadius does) 
because both protocols are enabled for this profile. TLS with the cert 
and TTLS with the password.
My settings on the Mac look like:

  On     Protocol
  [x]      TLS
  [x]      TTLS
  [  ]      EAP-FAST
  [  ]      PEAP
  [  ]      LEAP
  [  ]      MD5
My hope was, that this means: "Accept server communications for both".
But now it looks more like "Do TLS or TTLS, whatever the server asks 
FIRST"

> > And how do I tell the server, that a valid certificate is not enough 
> > to
> > get in?
> > In the first log-file, you see that the client can disable ttls and
> > still is accepted.
>
>   If you want to disable EAP-TLS, then do that:
>
> ...
> DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
> ...

Thank you for that one.

> >   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate
> >   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal 
> > handshake_failure
> > TLS Alert write:fatal:handshake failure
> >     TLS_accept:error in SSLv3 read client certificate B
> > rlm_eap: SSL error error:140890C7:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
>
>   That's up to the client.  If it doesn't give the server a 
> certificate,
> there's not much more that it can do.

OK. So I have to do some more experiments. Sigh. I have the server 
running to secure a WLAN. What I have now, is that the users can 
connect to one SSID, they got asked for a username and password and can 
connect with the default settings of the Mac (TTLS, PAP and passwd on 
the server). They get into a special low-security VLAN. Nice.

What I'm triying to do is to have a second SSID.
To connect you need a certificate. I can do that with TLS and it works. 
But the Mac still asks me for a username and password. I want to use 
this data. My favourite setup would be to proxy the username and 
password request to another RADIUS-server. That request should be the 
simplest RADIUS-Request that is possible. Just username and passowrd, 
without the EAP stuff, as the other server does'nt understand it 
anyway.

>   Alan DeKok

Thank you again for your help

Regards
  Wolfgang Burger