howto EAP-TLS on freeradius 2.0.2-3 ??

Joel MBA OYONE mba_oyone at yahoo.fr
Sun May 18 18:30:42 CEST 2008


Ivan  Kalik wrote:

> Please don't mess with configuration. Default one works. Your problem
> was with the user certificate.

http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/ConfiguringFreeRADIUSwithIDMbyExample_Dec_07_WW_Eng_Ltr.pdf

> 
On page 52 you have a picture of the Details tab list with Enhanced Key
>
Usage filed containing client OID. Does your client certificate have
>
that field and that value?

Hi  Ivan!
you can view screenshots of the certificate here:

- CA Certificate that i imported on XP with DER format:
http://img357.imageshack.us/img357/2264/cacertificate1wj4.jpg

- Client Certificate with p12 format:
http://img164.imageshack.us/img164/2894/certifclient1kf1.jpg
http://img164.imageshack.us/img164/7527/certifclient2rv3.jpg

sorry for the delay, i was in a trip!
I am still blocked on "Identity validation when i try to use eap-tls"
attached
files contain snapshot of my CA certificate (cacert.der) and my client
certificate (joel_certs.p12) olus the command lines applied to obtain
them.
Please let me know if they are corrects, like i suppose it to be!

here is my eap-tls configuration:
####################################################################
Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/CA/other_keys/servradiuskey.pem"
        certificate_file = "/etc/raddb/certs/CA/certs/serverradiuscert.pem"
        CA_file = "/etc/raddb/certs/CA/cacert.pem"
        private_key_password = "wireless"
        dh_file = "/etc/raddb/certs/CA/dh"
        random_file = "/etc/raddb/certs/CA/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
   }
###############################################################


My scripts:
######################################################################
#  Creating a new self-signed CA certificate
######################################################################
cakey.key cacert.pem:
    openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config ./ca.cnf 

# DER Forma of rhe CA certificate, that i imported on windows XP
ca.der: ca.pem (DER format)
    openssl x509 -inform PEM -outform DER -in cac.pem -out ca.der

######################################################################
#  Creating a certificate request for Server
######################################################################
openssl
req -newkey rsa:1024 -keyout
/etc/raddb/certs/CA/other_keys/servradiuskey.pem -out
/etc/raddb/certs/CA/req/servradius_cert.req  

######################################################################
#  Signing the Server certificate with the correctextension
######################################################################
openssl
ca -out /etc/raddb/certs/CA/certs/serverradiuscert.pem -extensions
xpserver_ext -extfile /etc/ssl/xpextensions -infiles
/etc/raddb/certs/CA/req/servradius_cert.req  

######################################################################
#  Creating a certificate request for Client
######################################################################
openssl req -new -nodes -keyout /etc/raddb/certs/CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/req/joel_cert.req  

######################################################################
#  Signing the Client certificate with the correctextension
######################################################################
openssl
ca -out /etc/raddb/certs/CA/certs/joel_cert.pem -extensions
xpclient_ext -extfile /etc/ssl/xpextensions -infiles
/etc/raddb/certs/CA/req/joel_cert.req  

######################################################################
#  Converting the Client certificate in p12 file
######################################################################
openssl
pkcs12 -export -in CA/certs/joel_cert.pem -inkey
CA/other_keys/joelkey.pem -out
/etc/raddb/certs/CA/certs/joel_certs.p12  -clcerts


######################################################################
** lemme know if i did something wrong creating my certificate please**

That is all i did.

Thank you

===================================================================================
======================================================================================================================================================================


Please don't mess with configuration. Default one works. Your problem
was with the user certificate.

http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/ConfiguringFreeRADIUSwithIDMbyExample_Dec_07_WW_Eng_Ltr.pdf

On page 52 you have a picture of the Details tab list with Enhanced Key
Usage filed containing client OID. Does your client certificate have
that field and that value?

Ivan Kalik
Kalik Informatika ISP


Dana 7/5/2008, "Joel MBA OYONE" <mba_oyone at yahoo.fr> piše:

>Ok,
>
>i
think i really missed something! that config should take less than 15
minutes but i can't solve my problem for more than a week.
>
>Alan
or Ivan, could you give me a half our to help me to fix my RADIUS
EAP-TLS config please. i would like to give you a full access to my
network and my terminal too, so the diagnostic should be very very easy
for you!
>is it possible?
>
> 
>MBA OYONE JoĂŤl
>Lot. El Firdaous
>Bât GH20, Porte A 204, Appt 8
>20000 Oulfa
>Casablanca - Maroc
> 
>TĂŠl. : +212 69 25 85 70
>
>
>----- Message d'origine ----
>De : Alan DeKok <aland at deployingradius.com>
>� : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>EnvoyĂŠ le : Lundi, 5 Mai 2008, 17h18mn 10s
>Objet : Re: Re : howto EAP-TLS on freeradius 2.0.2-3 ??
>
>Joel MBA OYONE wrote:
>...
>> The VLAN attributes defined in RFC3580 are as follows:
>> �  Tunnel-Type=VLAN (13)
>> �  Tunnel-Medium-Type=802
>> �  Tunnel-Private-Group-ID=VLANID
>> 
>> NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, which
>>        is why client entries use 6 for the Tunnel-Medium-Type value.
>
>  No.  For Tunnel-Medium-Type, "802" is a *name*, not a *number*.    See
>Section 3.2 of RFC 2868:
>
>...
>  Value
>      The Value field is three octets and contains one of the values
>      listed under "Address Family Numbers" in [14].  For the sake of
>      convenience, a relevant excerpt of this list is reproduced below.
>
>  1      IPv4 (IP version 4)
>  2      IPv6 (IP version 6)
>  3      NSAP
>  4      HDLC (8-bit multidrop)
>  5      BBN 1822
>  6      802 (includes all 802 media plus Ethernet "canonical format")
>...
>
>  FreeRADIUS gets it *right*.  Many NAS vendors get it *wrong*.
>
>> To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the
>> etc/raddb/users file, which contains the user account information, and add for the new user.
>> The following example shows the entry for a user in the users file. The username is
>> �johndoe,� the password is �test1234.� The user is assigned to VLAN 77.
>> 
>> johndoe Auth-Type: = EAP, User-Password == �test1234"
>>          Tunnel-Type = 13,
>>          Tunnel-Medium-Type = 6,
>
>  Or:  Tunnel-Medium-Type = IEEE-802
>....
>> 
>>
in both cases, it stays on "IDENTITY VALIDATION" in xp wireless
management and sometime i receive the right ip adresss in the right IP
Pool. ut lost it immediately, maybe cause of the repeating cycle of
athentication sequence.
>> AND, the client certificate, signed by the Server (not the CA root) is still with the same message.
>> 
>> 
>> hope it would be helpfull !!
>
>  Arg.  Microsoft keeps putting magic nonsense into their OS's to make
>it difficult to use non-Microsoft RADIUS servers.
>
>  And yes, this *is* a problem even inside of Microsoft!  So if you're
>finding it a PITA to get it working, rest assured that Microsoft does, too.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>__________________________________________________
>Do You Yahoo!?
>En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicitĂŠs 
>http://mail.yahoo.fr Yahoo! Mail 
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

-----La pièce jointe correspondante suit-----

######################################################################
#
#  Create a new self-signed CA certificate
#
######################################################################
cakey.key cacert.pem:
    openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config ./ca.cnf 

ca.der: ca.pem
    openssl x509 -inform PEM -outform DER -in cac.pem -out ca.der

######################################################################




# requete de cerificat server

openssl
req -newkey rsa:1024 -keyout
/etc/raddb/certs/CA/other_keys/servradiuskey.pem -out
/etc/raddb/certs/CA/req/servradius_cert.req  


# Signature du certificat server

openssl
ca -out /etc/raddb/certs/CA/certs/serverradiuscert.pem -extensions
xpserver_ext -extfile /etc/ssl/xpextensions -infiles
/etc/raddb/certs/CA/req/servradius_cert.req  

===================================================================================
======================================================================================================================================================================

# requete de cerificat client

openssl req -new -nodes -keyout /etc/raddb/certs/CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/req/joel_cert.req  


# Signature du certificat client

openssl
ca -out /etc/raddb/certs/CA/certs/joel_cert.pem -extensions
xpclient_ext -extfile /etc/ssl/xpextensions -infiles
/etc/raddb/certs/CA/req/joel_cert.req  

# conversion du certificat client au format pkcs12

openssl
pkcs12 -export -in CA/certs/joel_cert.pem -inkey
CA/other_keys/joelkey.pem -out
/etc/raddb/certs/CA/certs/joel_certs.p12  -clcerts

__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 




More information about the Freeradius-Users mailing list